Researchers Discover New Symbiote Linux Malware Targeting Financial Institutions

Security

Security researchers have discovered a new Linux malware dubbed Symbiote that uses sophisticated techniques to hide its presence on compromised systems. The malware appears to be targeting financial institutions in Latin America, including Brazil.

Specifically, cyber security researchers from Intezer and The BlackBerry Threat Research & Intelligence Team first detected Symbiote in November 2021. The team explained that the malware is different from other Linux backdoors (that typically infect running processes) due to its “parasitic nature.”

The researchers say that the malware acts as a shared object (SO) library that is loaded across all processes running on the target machine with the help of LD_PRELOAD. Symbiote gives threat actors rootkit functionality required to harvest user credentials & gain remote access to the system.

As shown in the screenshot below, this malware has various capabilities, including Berkeley Packet Filter (BPF). This functionality enables the attackers to hide malicious network traffic on the compromised device.

“When an administrator starts any packet capture tool on the infected machine, BPF bytecode is injected into the kernel that defines which packets should be captured,” the researchers explained. “In this process, Symbiote adds its bytecode first so it can filter out network traffic that it doesn’t want the packet-capturing software to see.”

Researchers Discover New Symbiote Linux Malware Targeting Financial Institutions

Symbiote is used as a credential theft tool

Additionally, Symbiote uses a stealth technique to load before any other shared objects. It enables the malware to conceal its own presence, other related files, and network entries on the system by hooking functions, such as libc and libpcap.

Researchers noted that the malware could be used as a method for harvesting user credentials via the libc read function. It is also able to hook some Linux Pluggable Authentication Module (PAM) functions in order to provide facilitation for remote access.

Currently, the Symbiote malware samples have only been submitted to VirusTotal, and there is no evidence that it is being actively exploited in the wild. “As no code is shared between Symbiote and Ebury/Windigo or any other known [Linux] malware, we can confidently conclude that Symbiote is a new, undiscovered Linux malware” the researchers added.