Researchers Discover New Symbiote Linux Malware Targeting Financial Institutions
Security researchers have discovered a new Linux malware dubbed Symbiote that uses sophisticated techniques to hide its presence on compromised systems. The malware appears to be targeting financial institutions in Latin America, including Brazil.
Specifically, cyber security researchers from Intezer and The BlackBerry Threat Research & Intelligence Team first detected Symbiote in November 2021. The team explained that the malware is different from other Linux backdoors (that typically infect running processes) due to its “parasitic nature.”
The researchers say that the malware acts as a shared object (SO) library that is loaded across all processes running on the target machine with the help of LD_PRELOAD. Symbiote gives threat actors rootkit functionality required to harvest user credentials & gain remote access to the system.
As shown in the screenshot below, this malware has various capabilities, including Berkeley Packet Filter (BPF). This functionality enables the attackers to hide malicious network traffic on the compromised device.
“When an administrator starts any packet capture tool on the infected machine, BPF bytecode is injected into the kernel that defines which packets should be captured,” the researchers explained. “In this process, Symbiote adds its bytecode first so it can filter out network traffic that it doesn’t want the packet-capturing software to see.”
Symbiote is used as a credential theft tool
Additionally, Symbiote uses a stealth technique to load before any other shared objects. It enables the malware to conceal its own presence, other related files, and network entries on the system by hooking functions, such as libc and libpcap.
Researchers noted that the malware could be used as a method for harvesting user credentials via the libc read function. It is also able to hook some Linux Pluggable Authentication Module (PAM) functions in order to provide facilitation for remote access.
Currently, the Symbiote malware samples have only been submitted to VirusTotal, and there is no evidence that it is being actively exploited in the wild. “As no code is shared between Symbiote and Ebury/Windigo or any other known [Linux] malware, we can confidently conclude that Symbiote is a new, undiscovered Linux malware” the researchers added.
More in Security
Microsoft Defender Vulnerability Management Adds New CVE Reporting Feature
Jun 30, 2022 | Rabia Noureen
Microsoft Releases Patches to Address Azure FabricScape Flaw Affecting Linux Workloads
Jun 29, 2022 | Rabia Noureen
Microsoft Defender for Identity Can Now Detect Insecure Domain Configurations
Jun 27, 2022 | Rabia Noureen
CISA Warns Unpatched VMware Servers Remain Vulnerable to Log4Shell
Jun 24, 2022 | Rabia Noureen
QNAP Releases Patch to Fix PHP Security Flaw Affecting Select NAS Devices
Jun 23, 2022 | Rabia Noureen
Microsoft Unveils New Edge Secured-Core IoT Devices to Block Firmware Attacks
Jun 22, 2022 | Rabia Noureen
Most popular on petri