Hackers using stealthy Linux backdoor Symbiote to steal credentials

Researchers have come across a stealthy Linux backdoor that uses sophisticated techniques to hide itself on compromised servers and steal credentials. Dubbed Symbiote because it injects itself into existing processes, the threat has been in development since at least November 2021 and seems to have been used against the financial sector in Latin America.

“Symbiote is a malware that is highly evasive,” researchers from BlackBerry said in a new report. “Since the malware operates as a userland level rootkit, detecting an infection may be difficult. Network telemetry can be used to detect anomalous DNS requests and security tools such as AVs and EDRs should be statically linked to ensure they are not “infected” by userland rootkits.”

Why Symbiote is a parasitic infection

The Symbiote malware is not deployed as an executable but as a shared object (.so file), which is essentially loaded by programs on execution. The attackers set the LD_PRELOAD environment variable to load the malicious library into all running processes, since this variable tells the linker to load the shared object before any other legitimate library.

To prevent its presence from being discovered, for example in the output of the ldd command that can be used to list a running process’s dependencies, the malware intercepts calls to this command by hooking execve and then scrubs itself from the output.

In addition to hiding itself, Symbiote is designed to hide the presence of other malware programs that attackers might deliver or files that are used to store stolen credentials in. The researchers found that the malware will remove the following entries from the output when an application is trying to access running processes: certbotx64, certbotx86, javautils, javaserverx64, javaclientex64 and javanodex8. “Some of the file names match the file names used by Symbiote but also names of other files for tools likely deployed on the infected machines,” the researchers said.

The malware goes even further and hides its network activity as well. This is achieved in three ways. First, it will intercept any calls to /proc/net/tcp by hooking fopen and fopen64 and will scrub any network connections to specific ports it wants to hide from the output.

Copyright © 2022 IDG Communications, Inc.

News Credit

%d bloggers like this: