Symbiote Malware infects all running processes on Linux Systems
June 10th, 2022 - Written By CyberLabs
A newly found malware known as Symbiote infects all running processes on compromised systems, steals account credentials, and gives its operators backdoor access. Symbiote acts as a system-wide parasite, after injecting itself into all running processes and leaving no identifiable signs of infection even during meticulous in-depth inspections. The malware uses the BPF (Berkeley Packet Filter) hooking functionality to sniff network data packers and to hide its own communication channels from security tools. This novel threat was discovered and analyzed by BlackBerry and Intezer Labs researchers. They’ve worked together to uncover all aspects of this new malware in a detailed technical report. According to the researchers, Symbiote has been under active development since 2021.
Instead of having the typical form of an executable, Symbiote is a shared object (SO) library that gets loaded into running processes using the LD_PRELOAD directive to gain priority against other SOs. By being the 1st to load, Symbiote can hook the “libc” and “libpcap” functions and perform various actions to conceal its presence, like hiding parasitic processes, hiding files deployed with the malware and more. “When it injects itself into processes, the malware can choose which results it displays,” the security researchers revealed in a report published today. “If an administrator starts a packet capture on the infected machine to investigate some suspicious network traffic, Symbiote will inject itself into the inspection software’s process and use BPF hooking to filter out results that would reveal its activity.”
To hide its malicious network activity on the compromised machine, Symbiote scrubs connection entries it wants to hide, performs packet filtering via BPF, and removes UDP traffic to domain names in its list. This stealthy new malware is primarily used for automated credential harvesting from hacked Linux devices by hooking the “libc read” function. This is a crucial mission when targeting Linux servers in high-value networks, as stealing admin account credentials opens the way to unobstructed lateral movement and unlimited access to the entire system. Such advanced and highly-evasive threats used in attacks against Linux systems are expected to increase significantly in the upcoming period, as large and valuable corporate networks use this architecture extensively.
