Security researchers are warning Linux users of a new malware that they describe as “nearly possible to detect”. Known as Symbiote, the malware can steal user credentials and provides threat actors with remote access to Linux systems. Furthermore, a successful breach will also add rootkit functionality.
Researchers at the BlackBerry Research and Intelligence Team says they have been following the malware since detecting it in November 2021. In a new blog post, the team says the word Symbiote is apt as a title for the malware because symbiotes are organisms that live in symbiosis with another organism.
In malware terms, the threat operates in a similar way and is different to previous Linux attacks:
“What makes Symbiote different … is that it needs to infect other running processes to inflict damage on infected machines,” the researchers say. “Instead of being a standalone executable file that is run to infect a machine, it is a shared object (SO) library that is loaded into all running processes using LD_PRELOAD (T1574.006), and parasitically infects the machine.”
If Symbiote is placed onto running processes, attackers can carry out their nefarious goals, such as rootkits, credential harvesting, and remote access. Moreover, the malware functions as a backdoor for the attacker to log in and use the Linux machine.
While the behaviour of the malware is new, it has other unique properties that are concerning. Specifically, it is extremely evasive and is “likely to fly under the radar”. In fact, the research team says it is very difficult to spot the malware and know if it is even in use.
“Once the malware has infected a machine, it hides itself and any other malware used by the threat actor, making infections very hard to detect. Performing live forensics on an infected machine may not turn anything up since all the file, processes, and network artifacts are hidden by the malware.”
So evasive is the malware that the team says it does not know whether Symbiote is currently being used by threat actors.