Intezer and BlackBerry recently reported on Symbiote, a difficult to detect Linux malware that relies on existing running processes to infect a system.
- Symbiote primarily targets financial institutions in Latin America.
- Symbiote acts as a parasite, hijacking existing processes.
- Symbiote is difficult to detect, as it hides itself and its network traffic.
- Symbiote’s three main objectives are to evade detection, provide backdoor access, and harvest credentials.
In our 2021 Year in Review, we predicted an uptick in Linux malware for 2022. Symbiote is a Linux malware, named due to its symbiote-like behavior. In symbiosis, an organism lives with and relies on another organism for existence. The relationship can be mutually beneficial to both organisms, or the symbiote can act as a parasite. Symbiote malware was first detected in November 2021, targeting financial institutions in Latin America. The domain names used in Symbiote’s infrastructure attempt to impersonate high-profile Brazilian banks. However, it is unclear whether the malware is being used for highly targeted or broad attacks.
Symbiote malware is not a standalone executable. It acts as a parasite, having a shared object library loaded into all running processes to infect a system using LD_PRELOAD. As a result, it is loaded before other shared objects, allowing it to hijack imports from other library files loaded for an application. Following successful infection, the malware hooks libc and libpcap functions and hides itself and any accompanying malware, in an attempt to thwart detection. Since any file, process, or network artifacts are hidden, the malware is difficult to detect even when performing live forensics.
In the binary, there is an RC4 encrypted file list. When hooked functions are called, Symbiote dynamically loads libc and calls the original function. Since Symbiote is loaded into processes using LD_PRELOAD, tools like ldd would list the malware as a loaded object. To combat this, Symbiote hooks execve and looks for calls to the function with the environment variable LD_TRACE_LOADED_OBJECTS set to 1. When this is detected, Symbiote executes the loader as ldd would, but scrubs its own entry from the result.
Symbiote hides its network activity using three separate methods:
- In the first method, Symbiote hooks fopen and fopen64. If the calling application tries to open /proc/net/tcp, Symbiote creates a temp file and copies the first line to that file. It then scans each line for the presence of specific ports. If the malware finds a port it’s searching for on a particular line, it skips to the next line. If the port is not found on a line, the line is written to the temp file. Symbiote then closes the file and returns the file descriptor of the temp file back to the caller. This gives the calling process a scrubbed result, which does not include network connection entries the malware wants to hide.
- In the second method, Symbiote hijacks any injected packet filtering bytecode. Analysts at Intezer and BlackBerry observed filtering of traffic based on ports and on IPv4 addresses, for both inbound and outbound traffic. This method allows the malware to filter TCP packets.
- In the third method, Symbiote hooks libpcap functions. This allows Symbiote to filter out UDP traffic to domain names it has in a list. For each packet received, the malware checks the UDP payload for substrings of these domains. If a match is found, the malware ignores the packet and increments a counter. Then pcap_stats uses this counter to “correct” the number of packets processed, subtracting the counter value from the true number of packets processed.
PolySwarm has multiple samples of Symbiote.
You can use the following CLI command to search for all Symbiote samples in our portal:
$ polyswarm link list -f Symbiote