Symbiote: credential-stealing Linux back door that's nearly impossible to detect

Symbiote - credential-stealing Linux back door that's nearly impossible to detect. Source: iStock

Image:
Symbiote - credential-stealing Linux back door that's nearly impossible to detect. Source: iStock

Sophisticated malware uses a variety of methods to evade detection

Researchers at security vendors Intezer and BlackBerry Research & Intelligence have provided details of a sophisticated strain of Linux malware that hides in the operating system's running processes and is almost impossible to detect.

The researchers have named the malware Symbiote, presumably after the parasitic aliens created by Marvel Comics.

Symbiote is designed to silently steal credentials and to facilitate backdoor access to a victim's machine.

It uses a variety of ways to evade detection, including rootkit functionality and the ability to hide in running processes. And as well as covering up its own presence, it can also hide other files related to malware likely deployed with it.

Image
Symbiote
Description

Source: Intezer, BlackBerry Research & Intelligence

"Once the threat has thoroughly insinuated itself into a victim's machine, it enables rootkit functionality to further hide evidence of its presence," the researchers say in a blog post.

In addition, Symbiote has the ability to hide network traffic from packet capture tools.

According to the researchers, Symbiote was first observed early in 2022, where it appeared to be targetting financial institutions in Latin America.

"Domain names used by the malware indicates the threat actors are currently impersonating Brazilian banks, which suggests that these banks or their customers are potential targets."

With its ability to evade detection and its multiple functionalities, the researchers say Symbiote is one of the most sophisticated Linux threats they've ever seen.

"In addition to providing the threat actor with the ability to remotely access victim machines, this malware also allows the attacker to perform automatic credential harvesting."

They note that Symbiote has certain similarities to Ebury, an OpenSSH backdoor discovered in 2014 that also performs credential stealing, although the two do not share any code, so Symbiote appears to be an entirely new malware strain.

The researchers do not offer any mitigations, other than traffic analysis and locking down security tools

"Since the malware operates as a userland level rootkit, detecting an infection may be difficult. Network telemetry can be used to detect anomalous DNS requests and security tools such as antivirus (AVs) and endpoint detection and response (EDRs) should be statically linked to ensure they are not 'infected' by userland rootkits."