The Symbiote Malware
Researchers from BlackBerry and Intezer have discovered a new strain of Linux malware that is “nearly impossible to detect”. The danger, which has been given the codename “Symbiote”, has the potential to be turned into a weapon and used to compromise machines that are already infected.
In a blog post that was written together by BlackBerry and Intezer, the companies explain how Symbiote is distinct from other types of Linux malware. The fact that this threat must first infect running processes before it can inflict damage to target PCs is what makes it stand out from other known threats.
According to the information that has been presented, Symbiote is not a single executable file but rather a shared object (SO) library, which enables it to be loaded in all processes that are now active.
The findings of the researchers reveal that, after the malware has infected all of the processes that are now active, it confers rootkit characteristics, the capacity to gather passwords, and the potential to provide remote access to the threat actor.
Because the virus conceals all files, programs, and network artifacts, it is possible that doing live forensics on a computer that has been infected will not provide any proof that the computer is actually infected.
More information reveals that Symbiote is able to disguise malicious network traffic on an infected workstation by hooking into a Berkeley packet filter (BPF). This makes it more difficult for system administrators to identify suspicious packets on an infected workstation.
According to the information presented in the blog post, when a packet capture program is executed on a computer that has been hacked, a BPF bytecode is injected into the kernel of the machine. This bytecode controls which packets should be collected.
In the first step of the process outlined above, network traffic that Symbiote does not want packet-capturing software to view is added to its bytecode. However, the researchers believe that network telemetry may be utilized to identify requests to a DNS server that are unusual.
Antivirus and endpoint detection and response (EDR) software should be statically connected, according to the recommendations of security experts, in order to ensure that users are not infected by userland rootkits. This recommendation is made in the context of prevention.
The research team says also that they have found the virus in Latin American financial institutions in November 2021, despite the fact that the report that reveals this information was published in the previous week. The allegations suggest that the Symbiote malware made use of domain names that impersonated well-known Brazilian banks.
In the study, BlackBerry and Intezer say that they have been unable to determine who was responsible for the malware; however, they did mention that the virus seemed to be an entirely new threat because Symbiote does not share any code with Ebury/Windigo or any other known malware. An investigation using the Intezer Analyze software reveals that only one distinct code was discovered in the samples. This finding lends credence to the hypothesis that Symbiote is a new and yet unidentified Linux malware.