A recently discovered form of malware that infects Linux systems uses sophisticated techniques to hide and steal credentials.

As detailed today by researchers at BlackBerry Ltd., the previously undetectable “Symbiote” malware acts in a parasitic nature in that it needs to infect other running processes to inflict damage on infected machines. Symbiote is not a standalone executable file that is run to infect a machine but a shared object library that is loaded into all running processes to infect the machine.

Once Symbiote has infected all running processes, it delivers the attacker rootkit function with the ability to harvest credentials and remote access capability.

Symbiote, first detected in November 2021, was initially written to target the financial sector in Latin America. Upon successful infection, Symbiote hides itself and any other malware deployed, making infections hard to detect. Hard might be an understatement: According to the researchers, performing live forensics on an infected may not turn up anything since all the files, processes and network artifacts are hidden by the malware.

Malware targeting Linux systems is not new, but the stealth techniques used by Symbiote make it stand out. The malware is loaded by the linker via the LD_PRELOAD directive, allowing it to be loaded before any other shared objects. Since it’s loaded first, it can “hijack the imports” from the other library files loaded for the application. Symbiote uses this to hide its presence on the machine.

“Since the malware operates as a userland level rootkit, detecting an infection may be difficult,” researchers conclude. “Network telemetry can be used to detect anomalous DNS requests and security tools such as antivirus and endpoint detection and response should be statically linked to ensure they are not ‘infected’ by userland rootkits.”

Photo: Pixabay