Fans of Linux-based operating systems often cite greater security as the basis for the love of their chosen distro. Whether Linux distros have better security track records than the likes of Windows 11 and macOS because they are inherently more secure or because they are simply not targeted as much as very much open to debate, but Linux remains fallible, nonetheless.
Going some way to prove this is the Symbiote malware discovered by security researchers from BlackBerry and Intezer Labs. Symbiote is worrying for a number of reasons including the fact that it is described as “nearly-impossible-to-detect”. It is also extremely dangerous piece of malware that “parasitically infects” systems, infecting all running processes and giving threat actors rootkit functionality, remote access and more.
Symbiote so called because of nature of attacks, with ‘symbiote” being a biological term for an organism that lives in symbiosis with another organism, sometimes parasitically. The security researchers say that Symbiote has been in existence since at least November 2021, and appears to have been developed to target the financial sector.
Writing up their finding, the researchers say of the malware:
What makes Symbiote different from other Linux malware that we usually come across, is that it needs to infect other running processes to inflict damage on infected machines. Instead of being a standalone executable file that is run to infect a machine, it is a shared object (SO) library that is loaded into all running processes using LD_PRELOAD (T1574.006), and parasitically infects the machine. Once it has infected all the running processes, it provides the threat actor with rootkit functionality, the ability to harvest credentials, and remote access capability.
They go on to explain why Symbiote is so hard to detect:
Once the malware has infected a machine, it hides itself and any other malware used by the threat actor, making infections very hard to detect. Performing live forensics on an infected machine may not turn anything up since all the file, processes, and network artifacts are hidden by the malware. In addition to the rootkit capability, the malware provides a backdoor for the threat actor to log in as any user on the machine with a hardcoded password, and to execute commands with the highest privileges.
Since it is extremely evasive, a Symbiote infection is likely to “fly under the radar”. In our research, we haven’t found enough evidence to determine whether Symbiote is being used in highly targeted or broad attacks.
One interesting technical aspect of Symbiote is its Berkeley Packet Filter (BPF) hooking functionality. Symbiote is not the first Linux malware to use BPF. For example, an advanced backdoor attributed to the Equation Group has been using BPF for covert communication. However, Symbiote utilizes BPF to hide malicious network traffic on an infected machine.
When an administrator starts any packet capture tool on the infected machine, BPF bytecode is injected into the kernel that defines which packets should be captured. In this process, Symbiote adds its bytecode first so it can filter out network traffic that it doesn’t want the packet-capturing software to see.
Symbiote is also able to hide its network activity using a variety of techniques. This is perfect cover to allow the malware to harvest credentials and to provide remote access for the threat actor.
A full, detailed write up is available on the BlackBerry blog, as well as in a post on the Intezer site.