Researchers and the BlackBerry Threat Research & Intelligence Team have come across a new and undetectable piece of Linux malware. It’s still called Symbiote:
What makes Symbiote different from other Linux malware that we usually come across, is that it needs to infect other running processes to inflict damage on infected machines. Instead of being a standalone executable file that is run to infect a machine, it is a shared object (SO) library that is loaded into all running processes using LD_PRELOAD (T1574.006), and parasitically infects the machine. Once it has infected all the running processes, it provides the threat actor with rootkit functionality, the ability to harvest credentials, and remote access capability.
And:
Symbiote is very stealthy. The malware is designed to be loaded by the linker via the LD_PRELOADdirective. This allows it to be loaded before any other shared objects. Since it is loaded first, it can “hijack the imports” from the other library files loaded for the application. Symbiote uses this to hide its presence on the machine by hooking libc and libpcap functions.
So in short, it evades detection and gives a threat actor significant control of a Linux machine. And since it does evade detection, it’s unclear how pervasive it is in the wild. Which means that it could be on a lot of Linux based computers. On top of that, how is it delivered to the target computer? Knowing that would help in terms of protecting yourself. The bottom line is that there’s still that we don’t know about it. Hopefully Blackberry follows up with a lot more detail on this threat.
Linux Users Have A New Undetectable Malware To Worry About…. And It’s Called Symbiote
Posted in Commentary with tags BlackBerry, LINUX on June 12, 2022 by itnerdResearchers and the BlackBerry Threat Research & Intelligence Team have come across a new and undetectable piece of Linux malware. It’s still called Symbiote:
What makes Symbiote different from other Linux malware that we usually come across, is that it needs to infect other running processes to inflict damage on infected machines. Instead of being a standalone executable file that is run to infect a machine, it is a shared object (SO) library that is loaded into all running processes using LD_PRELOAD (T1574.006), and parasitically infects the machine. Once it has infected all the running processes, it provides the threat actor with rootkit functionality, the ability to harvest credentials, and remote access capability.
And:
Symbiote is very stealthy. The malware is designed to be loaded by the linker via the LD_PRELOADdirective. This allows it to be loaded before any other shared objects. Since it is loaded first, it can “hijack the imports” from the other library files loaded for the application. Symbiote uses this to hide its presence on the machine by hooking libc and libpcap functions.
So in short, it evades detection and gives a threat actor significant control of a Linux machine. And since it does evade detection, it’s unclear how pervasive it is in the wild. Which means that it could be on a lot of Linux based computers. On top of that, how is it delivered to the target computer? Knowing that would help in terms of protecting yourself. The bottom line is that there’s still that we don’t know about it. Hopefully Blackberry follows up with a lot more detail on this threat.
2 Comments »