A newly discovered Linux malware known as Symbiote infects all running processes on compromised systems, steals account credentials, and gives its operators backdoor access.
The main objective of this malware we call “Symbiote” is to capture credentials and to facilitate backdoor access to a victim’s machine. Since the malware has so many ways to hide itself, including rootkit functionality, detecting an infection can be difficult. But Symbiote has even greater functionality in its bag of tricks.
How this technique works:
When an administrator starts any packet capture tool on the infected machine. After which BPF bytecode is injected into the kernel that defines which packets should be captured, BlackBerry explained. In this process, Symbiote adds its bytecode first so it can filter out network traffic .
Most impressive elements of the Linux malware is stealth. The malware is pre-loaded before other shared objects, allowing it to hook specific functions .
Since the malware operates as a userland level rootkit, detecting an infection may be difficult. Network telemetry can be used to detect anomalous DNS requests and security tools like AVs and EDRs should be added.
A sample of the malware was uploaded to VirusTotal under the name certbotx64. The team suspects that as submissions were made prior to the malware’s main infrastructure going online, the uploads might have been for antivirus and detection-testing purposes.
File Hash observed for Symbiote