A new malware variant, dubbed Symbiote, has been discovered that provides any account with remote access. This is a mature backdoor for Linux systems that uses inventive detection evasion mechanisms to hide its presence on affected systems—possibly even evading forensic investigation.

Researchers from Intezer and The BlackBerry Threat Research & Intelligence Team stated in their findings that this backdoor, unfortunately, uses a combination of high-level access and an ability to erase signs of infection from network traffic, system-level processes, and files to provide attackers with a potent toolset for hiding their tracks. Symbiote users at present seem to be targeting financial institutions in Brazil; the malware variant was first detected in November 2021.

In the research brief, Intezer and BlackBerry described their findings in this way:

“What makes Symbiote different from other Linux malware that we usually come across, is that it needs to infect other running processes to inflict damage on infected machines. Instead of being a standalone executable file that is run to infect a machine, it is a shared object (SO) library that is loaded into all running processes using LD_PRELOAD (T1574.006), and parasitically infects the machine. Once it has infected all the running processes, it provides the threat actor with rootkit functionality, the ability to harvest credentials, and remote access capability.”

Using LD_PRELOAD, Symbiote loads before any shared objects in the system, thereby allowing the malware to alter other library files that have been loaded for an application’s use. The researchers provided the image below as a summary of the malware’s various evasion mechanisms.

Where the acronym BPF is seen in this image, it refers to the Berkeley Packet Filter; BPF enables attackers to hide nefarious network traffic for the infected machines. The researchers noted the following regarding BPF’s efficacy:

“When an administrator starts any packet capture tool on the infected machine, BPF bytecode is injected into the kernel that defines which packets should be captured,” the researchers wrote. “In this process, Symbiote adds its bytecode first so it can filter out network traffic that it doesn’t want the packet-capturing software to see.”

“libc function hooking” is one of the many stealthy techniques used by Symbiote, which Symbiote uses for data theft. Per the research findings brief, “The credential harvesting is performed by hooking the libc read function….If an ssh or scp process is calling the function, it captures the credentials.”

Industry experts and security solutions have yet to note many instances of Symbiote being used in a widespread way so far, but such a stealthy tool would be difficult to detect even if it was in use. The recommended protections in this situation are for organizations to tightly control who is assigned any form of user account directly on Linux systems they operate, and to supplement detection and monitoring tools with kernel-level, behavior-focused analytics.

Webcheck Security information security consultants can provide you with the security guidance and leadership needed to bring about the security maturation that supports rapid response to evolving threats and protection against such threats as Symbiote. Reach out to Webcheck today for a free discussion of your security needs!