Impossible to Detect Linux Malware

As a result of a collaborative effort between BlackBerry Research & Intelligence Team and Intezer Security Researcher, Symbiote was discovered. Unlike most types of Linux malware, Symbiote is a brand new and hard-to-detect form of Linux malware.

Several months ago, Symbiote was discovered by the security team. Malware in general compromises Linux processes and acts as a shared object loader, which enables them to be loaded via LD_PRELOAD by all running processes.

Shared object libraries cause a machine to be compromised in a parasitic manner. After a malware program is profoundly implanted in a system, it allows attackers to install a rootkit function to further enhance their attack capabilities. 

Symbiote

There have been several reports of the malware since November 2021, when it was first spotted. The security analysts acknowledge that the malware was designed with the intention of targeting the financial sector in Latin America and specifically targeting –

  • Banco do Brasil
  • Caixa

Here’s what the Blackberry report states:-

“Once the malware has infected a machine, it hides itself and any other malware used by the threat actor, making infections very hard to detect. Performing live forensics on an infected machine may not turn anything up since all the files, processes, and network artifacts are hidden by the malware. In addition to the rootkit capability, the malware provides a backdoor for the threat actor to log in as any user on the machine with a hardcoded password, and to execute commands with the highest privileges.”

“Since it is extremely evasive, a Symbiote infection is likely to “fly under the radar.” In our research, we haven’t found enough evidence to determine whether Symbiote is being used in highly targeted or broad attacks.”

LD_PRELOAD directive can be used to load Symbiote ahead of any other shared objects, so that “hijacked imports” from those other library files can be used in Symbiote.

Files used

Here below we have mentioned all the files used:-

  • apache2start
  • apache2stop
  • profiles.php
  • 404erro.php
  • javaserverx64
  • javaclientex64
  • javanodex86
  • liblinux.so
  • java.h
  • open.h
  • mpt86.h
  • sqlsearch.php
  • indexq.php
  • mt64.so
  • certbot.h
  • cert.h
  • certbotx64
  • certbotx86
  • javautils
  • search.so

Among the interesting features of Linux malware is the fact that it is stealthy. Pre-loading the malware will enable it to hook specific functions that allow it to hide the fact that it is actually present. 

In addition to these files, Symbiote’s network entries are continually scrubbed, and its configuration files are also hidden. 

A hook on libc’s read function allows Symbiote to harvest credentials, and a hook on Linux PAM functions allows Symbiote to facilitate remote access. 

Other linked servers pose as the Federal Police of Brazil, and Symbiote domain names impersonate major Brazilian banks.

VirusTotal scanned a sample of the malware under the name certbotx64 and uploaded it to their database. As the data submission occurred before the malware’s main infrastructure went live, team members believe this to be the case.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.