A new Linux backdoor threat has been discovered, using malware known as ‘Symbiote’. This name has come from its ability to hide itself well, whilst stealing data and credentials from the ‘host’ victim. A threat report released last week by Intezer and The BlackBerry Threat Research & Intelligence Team details how this malware works, and why it’s presence is nearly impossible to detect.
Although this malware was first noticed in November 2021, it is believed to have originated as an attack designed to target the financial sector by impersonating Brazilian banks. Regular changes have been detected in the way this malware behaves, such as modification of the domain name server IP addresses it uses for network activities. This malware is unique in that it infects running processes; It exists as a shared object library instead of as a standalone executable file, which loads onto running processes using LD_PRELOAD (T1574.006). Symbiote can then attack by altering the libc read function so that it captures credentials when an ssh or scp process triggers it to do so. The malware also sets up remote backdoor access to the target machine using a hardcoded password to run commands with the highest privileges.
The Symbiote malware hides itself so successfully by concealing itself on the file system through rootkit functionality, making the malware itself and associated files, processes, and network artifacts almost undetectable. Symbiote also modifies Berkeley Packet Filter (BPF) to hide the network traffic that it generates from the host. The user of the infected machine could try and detect suspicious activity by running a packet capture tool, however the BPF bytecode is then inserted into the kernel that is responsible for packet capture. As this bytecode is run first, the malware successfully filters out the network traffic it wants to hide before it can be seen by the user.
Due to how well this malware evades detection the researchers at Intezer and BlackBerry investigating have stated that they cannot determine if the software is being used in targeted attacks or as a broader attack vector.