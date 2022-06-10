The discovery of malware with harmful potential on GNU/Linux systems is always in the news, perhaps because of the image created around this operating system as ‘immune to viruses’. But with Symbiotewhose existence has just been announced now, we are facing an extreme case of sophistication when it comes to eluding traditional detection methods.

Despite its recent identification, experts estimate that has been used by cybercriminals since at least November 2021and that it would have already been used against entities of the Ibero-American financial sector.

In theory, its name comes from its ability to run without executables, limiting itself to ‘inject’ into running processes and make them malicious; this is possible because the ‘viral’ payload resides in a library with extension .SOwhich the processes load because the attackers have previously made use of the environment variable LD_PRELOAD.

Given that, according to biologists, symbiosis is a relationship of dependence between two living beings that benefits both, everything indicates that the cybersecurity experts who baptized him were thinking, rather, of the symbiotes of the ‘Venom’ sagafrom Marvel, alien entities capable of possessing their host.

Stealthy and dangerous: more ‘ninja’ than Venom’s congener

Beyond zoological issues, its way of infecting processes is relevant because allows you to intercept any command call that might reveal your presence (like ‘ldd’), and alter the output of it to hide itself.

But still: Symbiote is designed to allow you to hide the presence of any other malware that attackers might want to use in combination with it. Thus, it also removes references to ‘certbotx64’, ‘certbotx86’, ‘javautils’, ‘javaserverx64’, ‘javaclientx64’ and ‘javanodex8’ from the ‘ldd’ output.

And it doesn’t end there: it is also able to hide your network activity intercepting calls to /proc/net/tcp already the functions libpcap y deleting references to any connection to specific ports that its creators indicate.



All the stealth tricks used by Symbiote (via BlackBerry).

But beyond its ability to hide itself and other malware, Symbiote’s goal is to provide a backdoor that allows attackers to gain remote access (and with root privileges) to the infected system and access the file with the credentials youSecondly, Symbiote will have been collecting each time the user authenticates.

Researchers have noted parallels between some of the techniques used by Symbiote and those of an older Linux malware called Ebury. However, they have been able to verify that there is little shared code between bothimplying that Symbiote is a new class of malware, which has not been detected until now.

