Impossible to Detect Linux Malware Features Never-Seen-Before Stealth Capabilities


Intezer and BlackBerry have discovered a sophisticated Linux malware that hijacks system processes and computing resources. Symbiote, the sophisticated malware, has serious stealth capabilities to obfuscate itself in the network traffic and system processes after taking over.

Security researchers have discovered a new parasitic infection in Linux systems. Caused by a malware aptly named Symbiote, this infection is “nearly impossible to detect,” according to Intezer researchers who collaborated with researchers at threat intelligence company BlackBerry to analyze the malware.

Symbiote is an entirely new malware capable of stealthily creating a backdoor in what is considered one of the most reliable operating systems available today. Linux is leveraged by the lion’s share of all enterprise servers, making them an attractive target to threat actors because of the computing power they offer.

This is exactly what the developers of Symbiote are aiming for, i.e., to hijack the target system’s resources, thus draining its computing power. Symbiote does this by infecting running processes and not relying on a standalone file-based infection chain.

Symbiote allows its operators to harvest system credentials and grant remote access, known as rootkit capabilities. This privileged access is made possible through a backdoor through which the threat actors can basically access the target system as any of the registered users.

However, the fact that Symbiote malware conceals itself in the system processes, file system, and network traffic to evade detection is perhaps its biggest strength. It uses LD_PRELOAD (T1574.006) to load itself into all running processes. “This allows it to be loaded before any other shared objects. Since it is loaded first, it can “hijack the imports” from the other library files loaded for the application,” BlackBerry wrote.

Symbiote Evasion Technique | Source: BlackBerry, IntezerOpens a new window

See More: Dirty Pipe Flaw in Linux Kernel Lets Hackers Overwrite Root Files, Escalate Privileges

Not only does Symbiote hide, but it also hides related files deployed by the malware. It can obscure the network traffic with the Berkeley Packet Filter (eBPF) feature.

Symbiote shares common traits with Ebury, a Linux malware that came to light in 2014, in terms of the goals and some techniques. BlackBerry explained that both leverage hooked functions to steal credentials and exfiltrate the captured data as DNS requests. The authentication method of both is different. The company added that Symbiote doesn’t share its codebase with Ebury or any other known Linux malware such as Windigo.

The Symbiote malware sample that Intezer and BlackBerry tested was dated November 2021. The threat actors were trying to impersonate Brazilian banks, so financial institutions in Brazil and other Latin American countries could be their targets.

The domain names used in the malware sample also led researchers to a related sample, called certbotx64, that was uploaded on VirusTotal. This sample was uploaded to VirusTotal before the backend infrastructure of the Symbiote went online. Citing certain similarities with Symbiote, researchers believe that certbotx64 was uploaded to test antivirus detection before they could be used.

Intezer researchers noted that “Symbiote is one of the most sophisticated Linux threats we’ve seen in recent times, but trends we’ve observed in the current threat landscape suggest it won’t be the last. As attackers increasingly focus their attention on Cloud servers and workloads, we anticipate seeing Linux threats on the rise.”

Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!