Cybersecurity researchers person taken the wraps disconnected what they telephone a "nearly-impossible-to-detect" Linux malware that could beryllium weaponized to backdoor infected systems.
Dubbed Symbiote by menace quality firms BlackBerry and Intezer, the stealthy malware is truthful named for its quality to conceal itself wrong moving processes and web postulation and drain a victim's resources similar a parasite.
The operators down Symbiote are believed to person commenced improvement connected the malware successful November 2021, with the menace histrion predominantly utilizing it to people the fiscal assemblage successful Latin America, including banks similar Banco bash Brasil and Caixa.
"Symbiote's main nonsubjective is to seizure credentials and to facilitate backdoor entree to a victim's machine," researchers Joakim Kennedy and Ismael Valenzuela said successful a report shared with The Hacker News. "What makes Symbiote antithetic from different Linux malware is that it infects moving processes alternatively than utilizing a standalone executable record to inflict damage."
It achieves this by leveraging a autochthonal Linux diagnostic called LD_PRELOAD — a method antecedently employed by malware specified arsenic Pro-Ocean and Facefish — truthful arsenic to beryllium loaded by the dynamic linker into each moving processes and infect the host.
Besides hiding its beingness connected the record system, Symbiote is besides susceptible of cloaking its web postulation by making usage of the extended Berkeley Packet Filter (eBPF) feature. This is carried retired by injecting itself into an inspection software's process and utilizing BPF to filter retired results that would uncover its activity.
Upon hijacking each moving processes, Symbiote enables rootkit functionality to further fell grounds of its beingness and provides a backdoor for the menace histrion to log successful to the instrumentality and execute privileged commands. It has besides been observed storing captured credentials encrypted successful files masquerading arsenic C header files.
This is not the archetypal clip a malware with akin capabilities has been spotted successful the wild. In February 2014, ESET revealed a Linux backdoor called Ebury that's built to bargain OpenSSH credentials and support entree to a compromised server.
"Since the malware operates arsenic a user-land level rootkit, detecting an corruption whitethorn beryllium difficult," the researchers concluded. "Network telemetry tin beryllium utilized to observe anomalous DNS requests and information tools specified arsenic AVs and EDRs should beryllium statically linked to guarantee they are not 'infected' by userland rootkits."