A new Linux malware that’s “nearly impossible to detect” can harvest credentials and gives attackers remote access and rootkit functionality by acting in a parasitic way to infect targets, researchers said.
Researchers from The BlackBerry Research and Intelligence Team have been tracking the malware, the earliest detection of which is from November 2021, security researcher Joakim Kennedy wrote in a blog post on the BlackBerry Threat Vector Blog published last week.
Researchers have appropriately dubbed the malware—which apparently was written to target the financial sector in Latin America—”Symbiote.” In biology, the word means an organism that lives in symbiosis with another organism.
The name is an homage to how the malware operates, which is differently than other Linux malware that researchers have encountered, Kennedy explained.
“What makes Symbiote different … is that it needs to infect other running processes to inflict damage on infected machines,” he wrote. “Instead of being a standalone executable file that is run to infect a machine, it is a shared object (SO) library that is loaded into all running processes using LD_PRELOAD (T1574.006), and parasitically infects the machine.”
Once Symbiote has infected all the running processes, a threat actor can engage in various nefarious activity, including rootkit functionality, the ability to harvest credentials, and remote access capability, Kennedy said.
In addition to the rootkit capability, the malware also provides a backdoor for the threat actor to log in as any user on the machine with a hardcoded password, and to execute commands with the highest privileges, he added.
Evasive Maneuvers
Symbiote’s behavior isn’t the only thing that makes it unique, researchers said. It’s also highly evasive to such a degree that it’s “likely to fly under the radar,” making it extremely difficult to know if it’s even being used by threat actors at all, he said.
Some evasive tactics it uses is that by design, it is loaded by the linker via the LD_PRELOAD directive, which allows it to be loaded before any other shared objects, researchers found. This privilege of being loaded first allows it to hijack the imports from the other library files loaded for the application, they said. In this way, it hide its presence on the machine by hooking libc and libpcap functions, Kennedy said.
“Once the malware has infected a machine, it hides itself and any other malware used by the threat actor, making infections very hard to detect,” he explained. “Performing live forensics on an infected machine may not turn anything up since all the file, processes, and network artifacts are hidden by the malware.”
In fact, researchers said they themselves could not uncover enough evidence to determine whether threat actors are currently using Symbiote ” in highly targeted or broad attacks,” he said.
Unusual DNS requests may be one way to detect if the malware is present on a system, researchers noted. However, typical antivirus or other security tools aimed at endpoint detection and response won’t pick up Symbiote, making organizations using Linux that rely on those protections at risk, they said.
Objectives
Attackers’ key objectives for wielding Symbiote are “to capture credentials and to facilitate backdoor access to infected machines,” Kennedy noted. He outlined in detail how the malware achieves both of these activities.
For credential harvesting, Symbiote hooks the libc read function; if an ssh or scp process is calling the function, it captures the credentials, which are first encrypted with RC4 using an embedded key and then written to a file, Kennedy said.
Attackers not only steal the credentials locally for access but also exfiltrate them by hex encoding and chunking up the data to be sent via DNS address record requests to a domain name that they control, he added.
To gain remote access to an infected machine, the malware hooks a few Linux Pluggable Authentication Module (PAM) functions, which allows it to authenticate to the machine with any service that uses PAM—including remote services such as Secure Shell (SSH), Kennedy said.
“When a service tries to use PAM to authenticate a user, the malware checks the provided password against a hardcoded password,” he explained. ” If the password provided is a match, the hooked function returns a success response.”
Once the threat actor has accomplished authentication, Symbiote allows for an attacker to gain root privileges by scanning the environment for the variable HTTP_SETTHIS, Kennedy said.
“If the variable is set with content, the malware changes the effective user and group ID to the root user, and then clears the variable before executing the content via the system command,” he explained.
