Why it issues: Earlier this week, researchers from Blackberry and Intezer launched info on a hard-to-detect Linux malware focusing on Latin American monetary establishments. Generally known as Symbiote, the menace offers unauthorized customers with the power to reap credentials or assume distant entry to the goal machine. As soon as contaminated, all malware is hidden and rendered undetectable.
Intezer’s Joakim Kennedy and the Blackberry Analysis and Intelligence Crew found that the menace presents as a shared object library (SO) relatively than a typical executable file that customers should run to contaminate a bunch. As soon as contaminated, the SO is loaded into at the moment working processes on the goal machine.
The contaminated computer systems present menace actors with the power to reap credentials, leverage distant entry capabilities, and execute instructions with in any other case unauthorized elevated privileges. The malware is loaded earlier than another shared objects through the LD_PRELOAD directive, permitting it to keep away from detection. Being loaded first additionally permits the malware to leverage different loaded library recordsdata.
Along with the actions described above, Symbiote can disguise the contaminated machine’s community exercise by creating particular temp recordsdata, hijacking contaminated packet filtering bytecode, or filtering UDP visitors utilizing particular package deal seize features. The Blackberry and Intezer blogs present in-depth explanations of every methodology if you happen to’re into the technical particulars.
The staff first detected the menace in Latin American-based monetary establishments in 2021. Since then, the staff has decided that the malware shares no code with another recognized malware, classifying it as a totally new malware menace to Linux working techniques. Whereas the brand new menace is designed to be onerous to seek out, admins can use community telemetry to detect anomalous DNS requests. Safety analysts and system directors may use statically linked antivirus (AV) and endpoint detection and response (EDR) instruments to make sure userland stage rootkits don’t infect goal machines.