Symbiote is a new sophisticated malware that has been observed infecting all running processes on Linux systems. The malware is under active development since last year.
A new threat to Linux
Symbiote has been analyzed by BlackBerry and Intezer Labs who have uncovered several technical aspects of this new malware.
Upon infection, the malware steals account credentials and gives backdoor access to its operators.
After injecting itself inside all running processes, it uses a system-wide threat and leaves no identifiable traces of infection, even during an in-depth inspection by experts.
The malware makes use of the Berkeley Packet Filter (BPF) hooking functionality to sniff network data packets and hide its own communication channels from security tools.
This malware is used for automated credential harvesting from hacked Linux devices. Stealing admin credentials allows unobstructed lateral movement and access to the infected systems.
Its main targets include the financial sector in Latin America and the Federal police of Brazil. Further, the domain names used by the Symbiote malware are pretending to be major Brazilian banks.
If an admin starts a packet capture on the infected machine to investigate, Symbiote injects itself inside the inspection software's process and uses BPF hooking to filter out malicious ones.
To hide its network activity on the infected machine, the malware removes connection entries, performs packet filtering via BPF, and removes UDP traffic.
The malware can hook the libc and libpcap functions and carry out different actions to hide its presence, such as hiding parasitic processes and hiding files being delivered with the malware.
Symbiote is highly evasive and focuses on capturing credentials and facilitating backdoor access. Thus, experts suggest admins use network telemetry to identify anomalous DNS requests. Further, deploy reliable anti-malware and endpoint detection and response solutions to reduce the risks from such threats.