Researchers have come across a stealthy Linux backdoor that uses sophisticated techniques to hide itself on compromised servers and steal credentials.
Dubbed Symbiote because it injects itself into existing processes, the threat has been in development since at least November 2021 and seems to have been used against the financial sector in Latin America.
"Symbiote is a malware that is highly evasive," researchers from BlackBerry said in a new report. "Since the malware operates as a userland level rootkit, detecting an infection may be difficult. Network telemetry can be used to detect anomalous DNS requests and security tools such as AVs and EDRs should be statically linked to ensure they are not “infected” by userland rootkits."
Why Symbiote is a parasitic infection
The Symbiote malware is not deployed as an executable but as a shared object (.so file), which is essentially loaded by programs on execution. The attackers set the LD_PRELOAD environment variable to load the malicious library into all running processes, since this variable tells the linker to load the shared object before any other legitimate library.
To prevent its presence from being discovered, for example in the output of the ldd command that can be used to list a running process's dependencies, the malware intercepts calls to this command by hooking execve and then scrubs itself from the output.
In addition to hiding itself, Symbiote is designed to hide the presence of other malware programs that attackers might deliver or files that are used to store stolen credentials in. The researchers found that the malware will remove the following entries from the output when an application is trying to access running processes: certbotx64, certbotx86, javautils, javaserverx64, javaclientex64 and javanodex8.
"Some of the file names match the file names used by Symbiote but also names of other files for tools likely deployed on the infected machines," the researchers said.
The malware goes even further and hides its network activity as well. This is achieved in three ways. First, it will intercept any calls to /proc/net/tcp by hooking fopen and fopen64 and will scrub any network connections to specific ports it wants to hide from the output.
The second method involves the use of the extended Berkeley Packet Filter (eBPF) feature of the kernel. The eBPF has been abused by malware in different ways in the past, but Symbiote only uses it to hide its network connections from packet capture programs. The way in which it achieves this involves manually written bytecode which suggests a skilled developer, the researchers said.
The third method involves hooking libpcap functions to hook UDP traffic to specific domain names the malware has in a list. The domains found in the analysed samples impersonate the domain names of major banks in Latin America, which suggests those banks might have been the targets and the attackers wanted to blend in the traffic in case it was discovered at the network level.
Using the domain names the researchers managed to find another sample on VirusTotal that was using one of them. That was a DNS tunnelling tool which was likely deployed by Symbiote.
Back-door access and credential harvesting
Symbiote's goal is to provide remote access to the system to attackers, hide additional tools that they might use and to harvest credentials from the ssh or scp remote access services. The credentials are stored in header files and are encrypted before being exfiltrated to one of the domain names used by the attackers.
"Remote access to the machine is achieved by hooking a few Linux Pluggable Authentication Module (PAM) functions," the researchers said.
"When a service tries to use PAM to authenticate a user, the malware checks the provided password against a hardcoded password. If the password provided is a match, the hooked function returns a success response. Since the hooks are in PAM, it allows the threat actor to authenticate to the machine with any service that uses PAM. This includes remote services such as SSH."
The malware also provides a mechanism for hackers authenticated via the backdoor to obtain root privileges. This is set up by abusing the HTTP_SETTHIS variable when Symbiote is first loaded.
The researchers noticed a similarity in some of the used techniques between Symbiote and an older Linux malware called Ebury or Windigo. However, there is very little shared code between the two, suggesting that Symbiote is a completely new malware threat that hasn't been detected until now.
While the samples seen so far appeared to target financial institutions in Latin America, there are no guarantees that additional targets aren’t out there or that the group behind this threat will limit itself to targeting only organisations in this region.
BlackBerry's report includes several indicators of compromise that can be used to detect if the malware is present on systems, including file names and hashes, domain names and port numbers for network activity that the malware attempts to hide.