Symbiote – A New Linux Threat

A recently discovered form of malware that infects Linux systems uses sophisticated techniques to hide and steal credentials.

The previously undetectable “Symbiote” malware acts in a parasitic nature in that it needs to infect other running processes to inflict damage on infected machines.

The symbiote is not a standalone executable file that is run to infect a machine but a shared object library that is loaded into all running processes to infect the machine.

Advertisements

Once Symbiote has infected all running processes, it delivers the attacker rootkit function with the ability to harvest credentials and remote access capability.

Symbiote, first detected in November 2021, was initially written to target the financial sector in Latin America. Upon successful infection, Symbiote hides any other malware deployed, making infections hard to detect. Hard might be an understatement: According to the researchers, performing live forensics on an infected may not turn up anything since all the files, processes, and network artifacts are hidden by the malware.

Malware targeting Linux systems is not new, but the stealth techniques used by Symbiote make it stand out. The malware is loaded by the linker via the LD_PRELOAD directive, allowing it to be loaded before any other shared objects. Since it’s loaded first, it can “hijack the imports” from the other library files loaded for the application. Symbiote uses this to hide its presence on the machine.

Detecting an infection at the rootkit level is difficult. Network telemetry can be used to detect anomalous DNS requests and security tools such as antivirus and endpoint detection and response should be statically linked to ensure they are not infected’ by userland rootkits.