Symbiote: a new, nearly-impossible-to-detect Linux threat

Ismael Valenzuela and Joakim Kennedy describe a dangerous new cyber threat that hides within computer processes

 

In pop culture, a symbiote often gives a host superhuman ability (and occasionally also hilarious inner monologue). But in real life, parasitic symbionts can drain a host to the brink of death without them even being aware.

 

Joint research by Intezer Labs and the BlackBerry Research & Intelligence Team has uncovered a new Linux® malware that operates as a symbiote, hiding itself within running processes and network traffic, so an attacker can steal a victim’s resources.

 

Digital symbiosis

The main objective of this malware we call “Symbiote” is to capture credentials and to facilitate backdoor access to a victim’s machine. Since the malware has so many ways to hide itself, including rootkit functionality, detecting an infection can be difficult. But Symbiote has even greater functionality in its bag of tricks.

 

What makes Symbiote different from other Linux malware is its ability to infect running processes, rather than using a standalone executable file to inflict damage. Once the threat has thoroughly insinuated itself into a victim’s machine, it enables rootkit functionality to further hide evidence of its presence. 

 

Hiding in the flow of traffic

This threat doesn’t just hide its presence on the file system; it also hides its network traffic by using Berkeley Packet Filter (BPF) hooking functionality. This is not the first time we’ve seen this technique used on Linux machines. We’ve known about hacking tools attributed to the Equation Group using BPF for covert communication for years. However, this is the first time we’ve seen it used in financially-motivated malware.

 

How this technique works: When it injects itself into processes, the malware can pick and choose which results it displays. If an administrator starts a packet capture on the infected machine to investigate some suspicious network traffic, Symbiote will inject itself into the inspection software’s process and use BPF hooking to filter out results that would reveal its activity.

 

Seeking extraordinary rewards

You might wonder what kind of target would warrant such a robust feature set. When the creators of Symbiote began development in 2021, they were specifically targeting the financial sector in Latin America. Domain names used by the malware indicates the threat actors are currently impersonating Brazilian banks, which suggests that these banks or their customers are potential targets.

 

In addition to providing the threat actor with the ability to remotely access victim machines, this malware also allows the attacker to perform automatic credential harvesting.

 

Symbiote is one of the most sophisticated Linux threats we’ve seen in recent times, but trends we’ve observed in the current threat landscape suggest it won’t be the last. As attackers increasingly focus their attention on Cloud servers and workloads, we anticipate seeing Linux threats on the rise.

 

The global BlackBerry Threat Research & Intelligence team, along with partners like Intezer, will continue identifying, analyzing, and reporting threats such as Symbiote, as well as contributing to building the countermeasures needed to mitigate their impact.

 

---

 

Ismael Valenzuela is VP of Research & Intelligence at BlackBerry and Dr Joakim Kennedy is Security Researcher at Intezer Labs. Symbiote Deep-Dive: Analysis of a New, Nearly-Impossible-to-Detect Linux Threat  explores this threat in depth and can be read here.

 

Main image courtesy of iStockPhoto.com