Cybersecurity experts discovered a "nearly-impossible-to-detect" Linux malware that can be exploited to backdoor infected systems. Known as Symbiote by threat intelligence firms Blackberry and intezer, the stealth malware is known for its capability to hide itself in running processes and network traffic and extract the target's data like a parasite.
The Hacker News says "this is not the first time a malware with similar capabilities has been spotted in the wild. In February 2014, ESET revealed a Linux backdoor called Ebury that's built to steal OpenSSH credentials and maintain access to a compromised server."
The actors behind Symbiote are believed to have started working on the malware in November 2021, using it for targeting financial institutions in Latin America, which includes banks such as Banco do Brazil and Caixa.
The main aim of Symbiote is to get credentials and fecilitate backdoor access to the target's systems. What makes Symbiote standout from other Linux malware is that it corrupts running processes instead of using a standalone file execution to cause damage.
It is done by leveraging a local Linux feature known as LD_PRELOAD- a technique earlier used by malware like Pro-Ocean and Facefish. It is later deployed by the dynamic linker into the running operations and start infecting the host. Other than hiding itself in the file system, Symbiote can also cloak its network traffic via using the extended Berkeley Packet Filter (eBPF) feature.
The task is attained via injecting the malware into an inspection software's processing and deploying BPF to categorize the results that will disclose the activities.
"Upon hijacking all running processes, Symbiote enables rootkit functionality to further hide evidence of its existence and provides a backdoor for the threat actor to log in to the machine and execute privileged commands. It has also been observed storing captured credentials encrypted in files masquerading as C header files," reports The Hacker News.