Hard-to-Detect 'Parasite' Targets Linux Operating SystemsHighly Evasive Symbiote Can Hide Itself and Other Malware Post-Infection
New malware called Symbiote is affecting Linux operating systems by infecting other running processes to inflict damage on machines, say Intezer security researcher Joakim Kennedy and the BlackBerry Threat Research and Intelligence Team, who jointly conducted the research.
The highly evasive malware, which was detected targeting Latin American financial firms in November 2021, aims to capture credentials on victims' systems to provide threat actors with backdoor access into the infected machines, say the researchers at both Blackberry and Intezer.
During their probe, the Intezer and Blackberry researchers found domain names that were used to impersonate major Brazilian banks, implying that the banks or their customers were potential targets.
The malware is not a stand-alone executable file, it is a shared object library that is loaded to run all the processes and infect machines, the researchers say. Upon successful infection, Symbiote provides rootkit functionality that has the ability to harvest credentials and provide remote access.
It also provides the threat actor a back door to "log in as any user on the machine with a hardcoded password, and to execute commands with the highest privileges," the researchers say.
Symbiote hides itself post-infection, along with other malware used by the threat actor, "making infections very hard to detect," they say, adding that the "fly under the radar" malware can also hide network activity on infected machines. The researchers at Intezer and BlackBerry say they could not find any evidence on infected machines, because the malware had hidden all the files, processes and network artifacts.
It also stores the stolen harvested credentials locally and exfiltrates them via a DNS address to a domain controlled by the threat actor, they say.
Although not a unique feature of Linux malware, Symbiote has a Berkeley Packet Filter hooking functionality, which is a tool for intrusion detection analysis. The researchers don't detail the advantage of this functionality in general, but they explain how Symbiote uses it.
"An advanced backdoor attributed to the Equation Group has been using BPF for covert communication. However, Symbiote utilizes BPF to hide malicious network traffic on an infected machine," the researchers say. "When an administrator starts any packet capture tool on the infected machine, BPF bytecode is injected into the kernel that defines which packets should be captured. In this process, Symbiote adds its bytecode first so it can filter out network traffic that it doesn’t want the packet-capturing software to see."
Although detection is tough, the researchers say companies can use network telemetry to "detect anomalous DNS requests." They add that security tools, including antivirus and endpoint detection and response solutions, must be "statically linked to ensure they are not infected by userland rootkits [used by Symbiote]."