BlackBerry discovers Symbiote malware, a highly evasive Linux threat

Image by suttipunfpik via Freepik

In November 2021, BlackBerry discovered Symbiote, a new and highly evasive malware that acts “in a parasitic nature” affecting Linux operating systems, according to new joint research released by Dr. Joakim Kennedy, Security Researcher at Intezer, and the BlackBerry Research & Intelligence Team.

“What makes Symbiote different from other Linux malware that we usually come across is that it needs to infect other running processes to inflict damage on infected machines,” says Dr. Joakim Kennedy at the BlackBerry Research & Intelligence Team. “Instead of being a standalone executable file that is run to infect a machine, it is a shared object (SO) library that is loaded into all running processes using LD_PRELOAD (T1574.006) and parasitically infects the machine. Once it has infected all the running processes, it provides the threat actor with rootkit functionality, the ability to harvest credentials, and remote access capability.”

According to the BlackBerry Research & Intelligence Team and Dr. Kennedy, Symbiote appears to have been written to target the financial sector in Latin America. Once the malware infects a machine, it hides itself and any other malware used by the threat actor, making infections very hard to detect. In addition, performing live forensics on an infected machine may not turn anything up since the malware hides all the files, processes and network artifacts. The malware provides a backdoor for the threat actor to log in as any user on the machine with a hardcoded password and execute commands with the highest privileges.

Since it is extremely evasive, a Symbiote infection is likely to “fly under the radar.” The research did not find enough evidence to determine whether Symbiote is being used in highly targeted or broad attacks.

Symbiote also has the functionality to hide network activity on the infected machine. It uses three different methods to accomplish this. The first method involves hooking fopen and fopen64. The second method is hijacking any injected packet filtering bytecode, and the third method is to hook libpcap functions.

In addition to hiding malicious activity on the machine, Symbiote’s main objective is to harvest credentials and provide remote access for the threat actor, BlackBerry says. Mainly, the domain names used by the Symbiote malware are impersonating major Brazilian banks, suggesting that banks and their customers are the potential targets.

For all findings, please visit www.blogs.blackberry.com

Maria Henriquez is a former Associate Editor of Security. She covered topics including cybersecurity and physical security, risk management and more.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

In today's rapidly evolving security landscape, organizations face an ever-growing array of disruptive events, security threats and risks. Traditional reactive approaches to security intelligence often leave businesses vulnerable and ill-prepared to anticipate and mitigate emerging threats that could impact the safety of their people, facilities or operations.