An incredibly stealthy Linux malware has been uncovered by cybersecurity researchers. The earliest samples of the threat, named Symbiote, date back to November 2021 with its intended targets believed to be banking or financial institutions from Latin America. Details about this previously unknown malware were released in a joint report by the BlackBerry Threat Research & Intelligence team and the Inteze security researcher Joakim Kennedy.
According to their findings, Symbiote differs significantly from the other Linux malware threats that try to compromise already running processes. However, Symbiote is designed to act as a shared object (SO) library that all running processes load via LD_PRELOAD. Once it has been fully established on the compromised machine, the threat is capable of providing almost rootkit-level functionality. To hide its presence, Symbiote hooks specific functions, such as libc and libpcap.
Furthermore, by hooking the libc read function, the threat can harvest credentials from the infected device, while using the Linux Pluggable Authentication Module (PAM) allows it to give remote access functions to the threat actors. As for the suspicious traffic generated by the threat, it is masked through the use of BPF (Berkeley Packet Filter) hooking.
The researchers also were able to confirm that certain domain names associated with Symbiote were designed to impersonate legitimate Brazilian banks. In addition, a server linked to the malware was purposefully created to imitate the page of the Federal Police of Brazil.