Joakim Kennedy, Security Researcher at Intezer, and the BlackBerry Threat Research & Intelligence team announced that they have discovered a new malware, which is called Symbiote. In this situation, it is parasitic, since one benefits and the other one is harmed. Symbiote is a unique malware with its approach. It needs to infect other running processes to inflict damage on infected machines.
After it has injected itself into all running processes, the malware can choose which results it displays.
It is a shared object (SO) library that is loaded into all running processes using LD_PRELOAD (T1574.006) and parasitically infects the machine. Once all the running processes are infected, it provides the threat actor with rootkit functionality, the ability to harvest credentials, and remote access capability. Symbiote also provides a backdoor, allowing the threat actor to log in as any user. The threat actors log in with a hardcoded password and can execute commands with the highest privileges.
Symbiote infection is very hard to detect, thus researchers haven’t found enough evidence to determine whether Symbiote is being used in highly targeted or broad attacks.
Symbiote uses Berkeley Packet Filter, and it is not the first Linux malware to use BPF. However, Symbiote uses BPF to hide malicious network traffic on an infected machine. Symbiote is loaded by the linker via the LD_PRELOAD directive. Thus, it can be loaded before any other shared objects. By hooking libc and libpcap functions, Symbiote hides its presence on the machine. Kennedy said,
« Symbiote is a malware that is highly evasive. Its main objective is to capture credentials and to facilitate backdoor access to infected machines. Since the malware operates as a userland level rootkit, detecting an infection may be difficult. Network telemetry can be used to detect anomalous DNS requests and security tools such as antivirus (AVs) and endpoint detection and response (EDRs) should be statically linked to ensure they are not “infected” by userland rootkits. »