The files extracted from all the samples we examined are shown in the list below. If the calling application is not trying to access something under /proc, the malware instead scrubs the result from a file list. The process names in the list below were extracted from the samples we have discovered. If the calling application is trying to access a file or folder under /proc, the malware scrubs the output from process names that are on its list. The image below shows a summary of the malware’s evasions.įigure 2: Logic for resolving readdir from libc Symbiote uses this to hide its presence on the machine by hooking libc and libpcap functions. Since it is loaded first, it can “hijack the imports” from the other library files loaded for the application. This allows it to be loaded before any other shared objects. The malware is designed to be loaded by the linker via the LD_PRELOAD directive.
#ESET ENDPOINT SECURITY LINUX SOFTWARE#
In this process, Symbiote adds its bytecode first so it can filter out network traffic that it doesn’t want the packet-capturing software to see. When an administrator starts any packet capture tool on the infected machine, BPF bytecode is injected into the kernel that defines which packets should be captured. However, Symbiote utilizes BPF to hide malicious network traffic on an infected machine. For example, an advanced backdoor attributedto the Equation Grouphas been using BPF for covert communication. Symbiote is not the first Linux malware to use BPF. One interesting technical aspect of Symbiote is its Berkeley Packet Filter (BPF) hooking functionality. Since it is extremely evasive, a Symbiote infection is likely to “fly under the radar.” In our research, we haven’t found enough evidence to determine whether Symbiote is being used in highly targeted or broad attacks. In addition to the rootkit capability, the malware provides a backdoor for the threat actor to log in as any user on the machine with a hardcoded password, and to execute commands with the highest privileges. Performing live forensics on an infected machine may not turn anything up since all the file, processes, and network artifacts are hidden by the malware. Once the malware has infected a machine, it hides itself and any other malware used by the threat actor, making infections very hard to detect. Our earliest detection of Symbiote is from November 2021, and it appears to have been written to target the financial sector in Latin America. Once it has infected all the running processes, it provides the threat actor with rootkit functionality, the ability to harvest credentials, and remote access capability. Instead of being a standalone executable file that is run to infect a machine, it is a shared object (SO) library that is loaded into all running processes using LD_PRELOAD (T1574.006), and parasitically infects the machine. What makes Symbiote different from other Linux malware that we usually come across, is that it needs to infect other running processes to inflict damage on infected machines. We have aptly named this malware Symbiote. A few months back, we discovered a new, undetected malware that acts in this parasitic nature affecting Linux® operating systems. The symbiosis can be mutually beneficial to both organisms, but sometimes it can be parasitic when one benefits and the other is harmed. In biology, a symbiote is an organism that lives in symbiosis with another organism. It can be found on the Intezer blog here as well.
This research is a joint effort between Joakim Kennedy, Security Researcher at Intezer, and the BlackBerry Research & Intelligence Team.