Malware targeting the Linux operating system often goes under-reported as the perception still prevails that Linux is one of the smaller players in the Operating System (OS) landscape behind Microsoft’s Windows and Apple's macOS. Such perceptions tend to ignore the fact that Linux makes up large portions of the Internet, power web servers, and proves to be the most popular choice in that regard, and the Internet of Things.
When researchers discover a new Linux malware that can be impossible to detect prevailing wisdom needs to be rewritten.
Security researchers from BlackBerry Threat Research & Intelligence team, together with Intezer security researcher Joakim Kennedy, published an article dealing with such a strain of Linux malware.
Named Symbiote by researchers due to its parasitic characteristics, the malware was discovered several months ago and struck researchers as to what it looks to compromise.
Typically, Linux malware will attempt to compromise running processes, Symbiote will instead act as a shared object (SO) library that is loaded on all running processes via LD_PRELOAD.
This masquerade as a SO library gives the malware its “parasitic nature” in that it allows the malware to claws deep inside the operating system giving the malware functionality similar to a rootkit.
Kaspersky Labs defines rootkits as,
“A rootkit is a type of malware designed to give hackers access to and control over a target device. Although most rootkits affect the software and the operating system, some can also infect your computer’s hardware and firmware. Rootkits are adept at concealing their presence, but while they remain hidden, they are active.”
Interestingly the name rootkit is derived from the Linux term root, to describe the user account with admin privileges. This incredibly high privileged user account gives the user the utmost control over the system.
Something malware developers cherish and wish to achieve with a malware infection. In the case of Symbiote, its rootkit functionality includes the ability to harvest credentials, and remote access capability.
Symbiote was first detected in November 2021, with researchers believing that it was written to target the financial sector in Latin America. As for the attack chain, this was summarised by researchers as,
“Once the malware has infected a machine, it hides itself and any other malware used by the threat actor, making infections very hard to detect. Performing live forensics on an infected machine may not turn anything up since all the files, processes, and network artifacts are hidden by the malware. In addition to the rootkit capability, the malware provides a backdoor for the threat actor to log in as any user on the machine with a hardcoded password, and to execute commands with the highest privileges.”
Researchers noted that due to Symbiote’s fly under the radar approach it has been difficult to determine whether the malware is being used in targeted or broad-based attacks. However, researchers have been able to find several interesting features of the malware.
One such feature is the malware’s use, or as some might put it abuse, of the Berkeley Packet Filter (BPF). The filter is typically used to analyze network traffic by using a raw interface to data link layers, permitting raw link-layer packets to be sent and received.
The malware uses BPF hooking to hide malicious traffic on an infected machine. This technique has been seen previously employed by Equation Group. BlackBerry researchers elaborated more on how Symbiote uses BPF to its advantage, stating,
“When an administrator starts any packet capture tool on the infected machine, BPF bytecode is injected into the kernel that defines which packets should be captured. In this process, Symbiote adds its bytecode first so it can filter out network traffic that it doesn't want the packet-capturing software to see.”
How the malware uses BPF is not the only stealth feature it can boast. The malware is pre-loaded before other shared objects. This allows it to hook specific functions, namely Linux’s libc and libpcap, all in an effort to hide its presence.
Other files associated with Symbiote are also concealed. The malware will also scrub network entries. Furthermore, Symbiote is able to harvest credentials by hooking the libc read function and facilitates remote access by hooking Linux Pluggable Authentication Module (PAM) functions.
As mentioned above Symbiote appears to be geared towards targeting the financial sector in Latin America. Evidence of this is apparent when the domain names are analyzed.
Domain names associated with Symbiote impersonate major Brazilian banks and another linked server masqueraded as the Federal Police of Brazil.
Researchers noted several similarities between Symbiote and other discovered Linux malware, in particular Ebury, an OpenSSH backdoor that also performs credential stealing.
However, authentication methods used to access the backdoor created by the malware strains are completely different. This led researchers to conclude that Symbiote is a completely new Linux malware.
Given its emphasis on stealth, along with the ability to harvest credentials and grant remote access to the attackers, banking and financial institutions should be aware of the threat posed by Symbiote.