A team of cybersecurity scientists from BlackBerry and Intezer found a new Linux malware that, in accordance to the firms, would be “nearly extremely hard to detect.”
Dubbed “Symbiote,” the threat can be weaponized to backdoor infected systems.
“What helps make Symbiote unique from other Linux malware that we usually come throughout, is that it demands to infect other functioning procedures to inflict destruction on contaminated equipment,” BlackBerry and Intezer wrote in a joint blog submit.
In other terms, in its place of remaining a standalone executable file (that customarily has to be run to infect a machine), Symbiote is a shared item (SO) library that is loaded into all managing procedures.
“Once it has contaminated all the managing processes, it presents the menace actor with rootkit operation, the potential to harvest qualifications, and remote entry functionality,” wrote the scientists.
In addition, executing reside forensics on an contaminated device may possibly not expose any traces of infection because all the files, procedures, and network artifacts are routinely concealed by the malware.
From a specialized standpoint, Symbiote utilizes the berkeley packet filter (BPF) hooking operation to hide malicious network visitors on an infected device, evading administrators’ tries to discover and capture suspect packets.
“When an administrator commences any packet capture instrument on the infected machine, BPF bytecode is injected into the kernel that defines which packets ought to be captured,” reads the submit.
“In this system, Symbiote provides its bytecode very first so it can filter out network traffic that it does not want the packet-capturing program to see.”
Nevertheless, the scientists explained network telemetry could be utilised to detect anomalous DNS requests.
The group also warned the security neighborhood to make certain security resources this kind of as antivirus and endpoint detection and response (EDR) are statically linked to ensure they are not “infected” by userland rootkits.
In spite of only publishing their exploration this 7 days, the staff explained it 1st detected the malware in November 2021 throughout several monetary establishments in Latin The us.
The statements are centered on the simple fact that domain names made use of by the Symbiote malware impersonated some significant Brazilian financial institutions.
Whilst BlackBerry and Intezer claimed they could not ensure the attribution, they did say the malware appeared to be an completely new danger.
“When we 1st analyzed the samples with Intezer Assess, only exceptional code was detected […] As no code is shared involving Symbiote and Ebury/Windigo or any other regarded malware, we can confidently conclude that Symbiote is a new, undiscovered Linux malware.”
Some parts of this article are sourced from:
www.infosecurity-journal.com