Researchers are warning of a newly discovered malware family that they say is “highly evasive,” which targets Linux systems in order to capture credentials and facilitate backdoor access to infected machines.
The malware, which researchers with Intezer and the BlackBerry threat research team call Symbiote, uses several different methods to evade detection after it has infected a machine, making it difficult to detect.
“Performing live forensics on an infected machine may not turn anything up since all the file, processes, and network artifacts are hidden by the malware,” warned Joakim Kennedy, security researcher, in a Thursday analysis. “In addition to the rootkit capability, the malware provides a backdoor for the threat actor to log in as any user on the machine with a hardcoded password and to execute commands with the highest privileges.”
The most notable detection-evasion method leveraged by Symbiote is its use of the Berkeley Packet Filter (BPF) hooking functionality, where BPF is injected into the kernel that defines what packets should be captured when an administrator starts a packet capture tool on an infected machine. This allows the malware to filter out network traffic that it doesn’t want the packet capture tool to potentially uncover.
Previously, Linux malware families have used BPF for communication (as opposed to hiding malicious network traffic); for instance, a sophisticated backdoor attributed to the Equation Group was previously found using BPF for covert communication. More recently, researchers uncovered activity that they tracked back to malware called BPFdoor, which targets Linux and Solaris systems and allows threat actors to remotely connect to Linux shells to access compromised devices. As part of this, the malware uses a BPF packet filter to scan network traffic and send commands.
Other Detection-Evasion Methods
In another stealthy technique, the malware is loaded by the linker via the LD_PRELOAD directive as a shared object library, as opposed to being a standalone executable file that is executed to infect a machine.
“This allows it to be loaded before any other shared objects,” said Kennedy. “Since it is loaded first, it can ‘hijack the imports’ from the other library files loaded for the application. Symbiote uses this to hide its presence on the machine by hooking libc and libpcap functions.”
The malware has capabilities to harvest credentials via the libc read function, which are both stored locally and exfiltrated. Attackers can also gain remote access via Symbiote.
“Remote access to the infected machine is achieved by hooking a few Linux Pluggable Authentication Module (PAM) functions,” said researchers. “When a service tries to use PAM to authenticate a user, the malware checks the provided password against a hardcoded password. If the password provided is a match, the hooked function returns a success response. Since the hooks are in PAM, it allows the threat actor to authenticate to the machine with any service that uses PAM.”
Researchers first uncovered the malware in November 2021, and said it appears to be targeting the financial sector in Latin America. They haven’t found enough evidence to determine whether the malware is being used in highly targeted or broad attacks. It’s also not clear how attackers are initially deploying the malware against victims. However, the malware's stealth makes it particularly difficult for defenders to root out, warned researchers.
“Network telemetry can be used to detect anomalous DNS requests, and security tools such as antivirus and endpoint detection and response (EDR) should be statically linked to ensure they are not ‘infected’ by userland rootkits,” said researchers.