In November 2021, BlackBerry discovered Symbiote, a new and highly evasive malware that acts “in a parasitic nature” affecting Linux operating systems, according to new joint research released by Dr. Joakim Kennedy, Security Researcher at Intezer, and the BlackBerry Research & Intelligence Team. 

“What makes Symbiote different from other Linux malware that we usually come across is that it needs to infect other running processes to inflict damage on infected machines,” says Dr. Joakim Kennedy at the BlackBerry Research & Intelligence Team. “Instead of being a standalone executable file that is run to infect a machine, it is a shared object (SO) library that is loaded into all running processes using LD_PRELOAD (T1574.006) and parasitically infects the machine. Once it has infected all the running processes, it provides the threat actor with rootkit functionality, the ability to harvest credentials, and remote access capability.”

According to the BlackBerry Research & Intelligence Team and Dr. Kennedy, Symbiote appears to have been written to target the financial sector in Latin America. Once the malware infects a machine, it hides itself and any other malware used by the threat actor, making infections very hard to detect. In addition, performing live forensics on an infected machine may not turn anything up since the malware hides all the files, processes and network artifacts. The malware provides a backdoor for the threat actor to log in as any user on the machine with a hardcoded password and execute commands with the highest privileges.

Since it is extremely evasive, a Symbiote infection is likely to “fly under the radar.” The research did not find enough evidence to determine whether Symbiote is being used in highly targeted or broad attacks.

Symbiote also has the functionality to hide network activity on the infected machine. It uses three different methods to accomplish this. The first method involves hooking fopen and fopen64. The second method is hijacking any injected packet filtering bytecode, and the third method is to hook libpcap functions.

In addition to hiding malicious activity on the machine, Symbiote’s main objective is to harvest credentials and provide remote access for the threat actor, BlackBerry says. Mainly, the domain names used by the Symbiote malware are impersonating major Brazilian banks, suggesting that banks and their customers are the potential targets. 

For all findings, please visit www.blogs.blackberry.com