A stealthy Linux risk referred to as Symbiote is concentrating on monetary establishments in Latin America, with all file, processes, and community artifacts hidden by the malware, making it nearly invisible to detection by reside forensics.
The malware was first uncovered in November, in line with a weblog put up by BlackBerry Analysis. What units Symbiote aside from different Linux malware is its strategy to infecting operating processes, slightly than utilizing a stand-alone executable file to inflict harm.
It then harvests credentials to supply distant entry for the risk actor, exfiltrating credentials in addition to storing them domestically.
“It operates as a rootkit and hides its presence on the machine. As soon as it has contaminated the machine absolutely, it lets you see solely what it desires you to see,” Joakim Kennedy, safety researcher at Intezer and writer of the BlackBerry weblog put up, explains. “Primarily, you possibly can’t belief what the machine is telling you.”
Nevertheless, it may be detected externally, he says, because it exfiltrates stolen credentials by way of the DNS requests.
Kennedy says the domains the malware makes use of impersonate large banks in Brazil, which additionally helps it keep below the radar.
“Whereas we could not inform based mostly on solely what we discovered, attackers concentrating on monetary establishments are sometimes motivated by potential financial acquire,” he says.
Shared Object Library
Nicole Hoffman, senior cyber risk intelligence analyst at Digital Shadows, factors out that in contrast to most malware variants, the Symbiote malware is a shared object library, as an alternative of an executable file.
Symbiote makes use of the LD_PRELOAD variable that permits it to be pre-loaded by purposes earlier than different shared object libraries.
“It is a subtle and evasive method that may assist the malware mix in with professional operating processes and purposes, which is without doubt one of the causes Symbiote is troublesome to detect,” she says.
The malware additionally has Berkeley Packet Filter (BPF) hooking performance. Packet seize instruments intercept, or seize, community site visitors usually for the needs of an investigation.
BPF is a instrument embedded inside a number of Linux working methods that permits customers to filter out sure packets relying on the kind of investigation they’re performing, which might cut back the general outcomes, making evaluation simpler.
“The Symbiote malware is designed to primarily filter its site visitors out of the packet seize outcomes,” Hoffman explains. “That is simply one other layer of stealth utilized by the attackers to cowl their tracks and fly below the radar.”
Kennedy provides that that is the primary time the BPF hooking performance has been noticed working on this approach, and factors out that different malware variants have usually used BPF to obtain instructions from their command-and-control server.
“This malware as an alternative makes use of this methodology to cover community exercise,” he says. “It is an lively measure utilized by the malware to forestall being detected if somebody investigates the contaminated machine — like overlaying up its footsteps so it is tougher to trace down.”
Simpler to Assault?
Mike Parkin, senior technical engineer at Vulcan Cyber, says there could also be a notion on the attacker’s half that the targets in Latin America have a much less mature safety infrastructure and would thus be simpler to assault.
He explains that the attackers went out of their approach to disguise their malware from something that is operating on the contaminated system, leveraging BPF to cover their communications site visitors.
“Whereas it will work on the native host, different network-monitoring instruments will be capable of establish the hostile site visitors and the contaminated supply,” he says.
He explains that there are a number of endpoint instruments out there that ought to establish adjustments on a sufferer system.
“There are additionally forensic methods that may use the malware’s personal conduct towards it to disclose its presence,” he notes. “The authors who created Symbiote went to nice lengths disguise their malware. They leveraged a mix of methods, although in so doing delivered some indicators of compromise that defenders may use to establish an an infection in-situ.”
Kennedy says that an important motion is to concentrate on the methods utilized by this malware to make sure that you may detect and/or defend towards these, whether or not you are defending towards Symbiote or one other assault that makes use of the identical method.
“I’d say Symbiote, and different just lately found undetected Linux malware, reveals that working methods apart from Home windows should not resistant to extremely evasive malware,” he says. “Because it doesn’t get as a lot consideration as Home windows malware, we do not know what else is on the market that hasn’t been found but.”