In pop culture, a symbiote often gives a host superhuman ability (and occasionally also hilarious inner monologue). But in real life, parasitic symbionts can drain a host to the brink of death without them even being aware. In a new joint research endeavor by Intezer and the BlackBerry Research & Intelligence Team, we discovered a new undiscovered malware that operates as a symbiote affecting Linux® operating systems, hiding itself within running processes, so an attacker can steal a victim’s resources.
The full blog, “Symbiote Deep-Dive: Analysis of a New, Nearly-Impossible-to-Detect Linux Threat,” explores this threat in depth. Read the report here.
The main objective of this malware we call “Symbiote” is to capture credentials and to facilitate backdoor access to a victim’s machine. Since the malware has so many ways to hide itself, including rootkit functionality, detecting an infection can be difficult. But Symbiote has even greater functionality in its bag of tricks.
What makes Symbiote different from other Linux malware is its ability to infect running processes, rather than using a standalone executable file to inflict damage. Once the threat has thoroughly insinuated itself into a victim’s machine, it enables rootkit functionality to further hide evidence of its presence.
Hiding the Flow of Traffic
This threat doesn’t just hide its presence on the file system; it also hides its network traffic by using Berkeley Packet Filter (BPF) hooking functionality.
How this technique works: When an administrator starts any packet capture tool on the infected machine, BPF bytecode is injected into the kernel that defines which packets should be captured. In this process, Symbiote adds its bytecode first so it can filter out network traffic that it doesn’t want the packet-capturing software to see.
Seeking Extraordinary Rewards
You might wonder what kind of target would warrant such a robust feature set. When the first samples of Symbiote were found in early 2022, it appeared they were targeting the financial sector in Latin America. Domain names used by the malware indicates the threat actors are currently impersonating Brazilian banks, which suggests that these banks or their customers are potential targets.
In addition to providing the threat actor with the ability to remotely access victim machines, this malware also allows the attacker to perform automatic credential harvesting.
Symbiote is one of the most sophisticated Linux threats we’ve seen in recent times, but trends we’ve observed in the current threat landscape suggest it won’t be the last. As attackers increasingly focus their attention on Cloud servers and workloads, we anticipate seeing Linux threats on the rise. The Intezer team, along with partners like the BlackBerry Research & Intelligence Team, will continue identifying, analyzing, and reporting threats such as Symbiote, as well as contributing to building the countermeasures needed to mitigate their impact.