Why it issues: Earlier this week, researchers from Blackberry and Intezer launched data on a hard-to-detect Linux malware concentrating on Latin American monetary establishments. Known as Symbiote, the menace supplies unauthorized customers with the power to reap credentials or assume distant entry to the goal machine. Once contaminated, all malware is hidden and rendered undetectable.
Intezer’s Joakim Kennedy and the Blackberry Research and Intelligence Team found that the menace presents as a shared object library (SO) fairly than a typical executable file that customers should run to contaminate a number. Once contaminated, the SO is loaded into at the moment working processes on the goal machine.
The contaminated computer systems present menace actors with the power to reap credentials, leverage distant entry capabilities, and execute instructions with in any other case unauthorized elevated privileges. The malware is loaded earlier than another shared objects through the LD_PRELOAD directive, permitting it to keep away from detection. Being loaded first additionally permits the malware to leverage different loaded library information.
In addition to the actions described above, Symbiote can disguise the contaminated machine’s community exercise by creating particular temp information, hijacking contaminated packet filtering bytecode, or filtering UDP site visitors utilizing particular bundle seize features. The Blackberry and Intezer blogs present in-depth explanations of every technique in the event you’re into the technical particulars.
The group first detected the menace in Latin American-based monetary establishments in 2021. Since then, the group has decided that the malware shares no code with another identified malware, classifying it as a totally new malware menace to Linux working programs. While the brand new menace is designed to be laborious to search out, admins can use community telemetry to detect anomalous DNS requests. Security analysts and system directors can even use statically linked antivirus (AV) and endpoint detection and response (EDR) instruments to make sure userland degree rootkits don’t infect goal machines.