Symbiote, discovered by Blackberry researchers, is a new Linux malware designed to infect all running processes on infected machines. The malware is capable of stealing account credentials and providing backdoor access to its operators.
A Look into Symbiote Linux Malware
The first detection of the malware happened in November 2021, when it was discovered in attacks against financial organizations in Latin America. The malware is capable of hiding itself after the infection, making it very difficult to detect.
Furthermore, the researchers said that even live forensics may not reveal anything as all the files, processes, and network artifacts are concealed (a.k.a. Rootkit capabilities). In addition to the rootkit, the malware also provides a backdoor making it possible for threat actors to log in as any user on the compromised machine via a hardcoded password. The next step is executing commands with the highest privileges.
“Since it is extremely evasive, a Symbiote infection is likely to “fly under the radar.” In our research, we haven’t found enough evidence to determine whether Symbiote is being used in highly targeted or broad attacks,” the report said.
One of the most curious technical aspects of the malware is the so-called Berkeley Packet Filter (BPF) hooking functionality. Even though this is not the first Linux malware to use this functionality, in the case of Symbiote the hooking is used to hide malicious network traffic on the compromised machine. Other examples of malware using the functionality include advanced backdoors attributed to the Equation threat group.
When an administrator initiates any packet capture tool, the BPF bytecode is injected into the kernel defining which packets should be captured.
“In this process, Symbiote adds its bytecode first so it can filter out network traffic that it doesn’t want the packet-capturing software to see,” the researchers added.
Full technical disclosure is available in the original Blackberry report. Other examples of recent malware samples aimed at the Linux environment include Cheerscrypt ransomware and the SysJoker backdoor.