Security News > 2022 > June > Researchers unearth highly evasive “parasitic” Linux malware
Security researchers at Intezer and BlackBerry have documented Symbiote, a wholly unique, multi-purpose piece of Linux malware that is nearly impossible to detect.
"What makes Symbiote different from other Linux malware that we usually come across, is that it needs to infect other running processes to inflict damage on infected machines. Instead of being a standalone executable file that is run to infect a machine, it is a shared object library that is loaded into all running processes using LD PRELOAD, and parasitically infects the machine," the researchers pointed out.
Symbiote is an eminently capable piece of Linux malware: it operates as a rootkit, it can serve as a backdoor, it can execute commands with the highest privileges and can harvest credentials.
"The domain names used by the Symbiote malware are impersonating some major Brazilian banks. This suggests that these banks or their customers are the potential targets," the researchers noted, but said that they weren't able to determine whether the malware is being used in targeted or broad attacks.
How the malware is delivered to targets is not known, but once it has infected a machine, it hides itself and any other malware used by the threat actor, by scrubbing evidence of files, processes, and network artifacts it uses.
Performing live forensics on an infected machine may not turn anything up any evidence of the presence of the malware, the researchers noted, and since it operates as a userland-level rootkit, detection is made even more difficult.
News URL
https://www.helpnetsecurity.com/2022/06/10/symbiote-linux-malware/
Related news
- New Perfctl Malware Targets Linux Servers for Cryptocurrency Mining and Proxyjacking (source)
- Linux malware “perfctl” behind years-long cryptomining campaign (source)
- Linux systems targeted with stealthy “Perfctl” cryptomining malware (source)
- New FASTCash malware Linux variant helps steal money from ATMs (source)
- Researchers Uncover Hijack Loader Malware Using Stolen Code-Signing Certificates (source)
- New Linux Variant of FASTCash Malware Targets Payment Switches in ATM Heists (source)
- New CRON#TRAP Malware Infects Windows by Hiding in Linux VM to Evade Antivirus (source)
- Researchers unearth two previously unknown Linux backdoors (source)
- Chinese hackers target Linux with new WolfsBane malware (source)