A team of cybersecurity researchers from BlackBerry and Intezer identified a new Linux malware that, according to the companies, would be “nearly impossible to detect.”
Dubbed “Symbiote,” the threat can be weaponized to backdoor contaminated techniques.
“What can make Symbiote unique from other Linux malware that we typically arrive across, is that it wants to infect other functioning processes to inflict destruction on contaminated equipment,” BlackBerry and Intezer wrote in a joint blog put up.
In other words and phrases, as an alternative of getting a standalone executable file (that usually has to be run to infect a equipment), Symbiote is a shared object (SO) library that is loaded into all functioning procedures.
“Once it has contaminated all the managing procedures, it supplies the danger actor with rootkit performance, the capability to harvest qualifications, and remote access capacity,” wrote the scientists.
In addition, executing live forensics on an infected device may possibly not expose any traces of infection given that all the information, processes, and network artifacts are mechanically hidden by the malware.
From a complex standpoint, Symbiote works by using the berkeley packet filter (BPF) hooking operation to hide malicious network targeted traffic on an infected machine, evading administrators’ makes an attempt to recognize and capture suspect packets.
“When an administrator starts any packet seize device on the infected equipment, BPF bytecode is injected into the kernel that defines which packets ought to be captured,” reads the submit.
“In this method, Symbiote provides its bytecode first so it can filter out network website traffic that it does not want the packet-capturing software package to see.”
On the other hand, the researchers reported network telemetry could be employed to detect anomalous DNS requests.
The team also warned the security group to ensure security tools these kinds of as antivirus and endpoint detection and response (EDR) are statically linked to guarantee they are not “infected” by userland rootkits.
Regardless of only publishing their investigation this 7 days, the team reported it very first detected the malware in November 2021 throughout a variety of fiscal institutions in Latin The united states.
The statements are primarily based on the simple fact that area names employed by the Symbiote malware impersonated some major Brazilian banks.
Even though BlackBerry and Intezer said they could not affirm the attribution, they did say the malware appeared to be an fully new threat.
“When we initial analyzed the samples with Intezer Assess, only special code was detected […] As no code is shared in between Symbiote and Ebury/Windigo or any other acknowledged malware, we can confidently conclude that Symbiote is a new, undiscovered Linux malware.”
Some areas of this posting are sourced from: