Intezer security researcher Joakim Kennedy and the BlackBerry Threat Research and Intelligence Team have analyzed an unusual piece of Linux malware they say is unlike most seen before – it isn’t a standalone executable file.
Dubbed Symbiote, the badware instead hijacks the environment variable (LD_PRELOAD) the dynamic linker uses to load a shared object library and soon infects every single running process.
The Intezer/BlackBerry team discovered Symbiote in November 2021, and said it appeared to have been written to target financial institutions in Latin America. Analysis of the Symbiote malware and its behavior suggest it may have been developed in Brazil.
“Since it is extremely evasive, a Symbiote infection is likely to ‘fly under the radar.’ In our research, we haven’t found enough evidence to determine whether Symbiote is being used in highly targeted or broad attacks,” the researchers wrote in their report.
The research doesn’t mention how the initial infection occurs, although once it does, it is “very hard to detect,” caution the researchers. “Performing live forensics on an infected machine may not turn anything up since all the file, processes, and network artifacts are hidden by the malware.”
Along with making itself invisible, Symbiote’s ultimate goal is to provide backdoor access to the infected machine and harvest credentials, both of which it does by hooking a bunch of functions and hijacking data. Credentials are stored locally before being hex encoded, chunked up and transmitted disguised as a DNS request.
As for how it hides itself, BlackBerry and Intezer have detailed quite a few methods:
- It removes certained named entries from lists of running processes,
- Removes itself from lists of SO dependencies in LDD,
- Hides certain named files from directories,
- Intercepts and drops TCP and UDP packets,
- Blocks certain traffic on certain ports
All of those actions are contextual as well: When certain conditions are met, Symbiote takes different actions to ensure it remains undetected.
Symbiote’s objectives aren’t particularly novel – the researchers even point out malware like Ebury, which was similar in purpose and technique. Analyzing the code of those two malware families turned up something interesting: They’re both completely different.
“As no code is shared between Symbiote and Ebury/Windigo or any other known malware, we can confidently conclude that Symbiote is a new, undiscovered Linux malware,” the researchers said.
So, how does an organization prevent an infection from Symbiote, when it could already be deeply embedded? The researchers have two recommendations: First, keep an eye on network telemetry and watch anomalous DNS requests. Second, statically link all AV and EDR software so Symbiote can’t render itself invisible from them as well.
Lastly, take a look at the full report, which contains plenty of indicators of compromise. ®