Why is it important: Earlier this week, researchers at Blackberry and Intezer published information about hard-to-detect Linux malware targeting financial institutions in Latin America. Known as Symbiote, this threat provides unauthorized users with the ability to collect credentials or gain remote access to the target machine. Once infected, all malware hides and becomes undetectable.

- Advertisement -

Joachim Kennedy of Intezer and the Blackberry Research and Intelligence Group discovered that the threat is a shared object (SO) library and not a typical executable that users must run to infect a host. Once infected, SO is loaded into running processes on the target machine.

- Advertisement -

Infected computers provide attackers with the ability to collect credentials, use remote access capabilities, and execute commands with unauthorized elevated privileges. Malware is loaded before any other shared objects using the LD_PRELOAD directive, allowing this is to avoid detection. Loading first also allows malware to use other downloaded library files.

- Advertisement -

In addition to the actions described above, Symbiote can hide the network activity of an infected machine by creating certain temporary files, intercepting infected packet filtering bytecode, or filtering UDP traffic using certain packet capture functions. Blackberry as well as Inteser the blogs provide detailed explanations of each method if you’re into technical details.

The team first detected the threat in financial institutions in Latin America in 2021. The team has since determined that the malware shares no code with any other known malware, classifying it as an entirely new threat to Linux operating systems. Although the new threat is difficult to detect, administrators can use network telemetry to detect anomalous DNS queries. Security analysts and system administrators can also use statically linked antivirus (AV) and endpoint detection and response (EDR) tools to ensure user-level rootkits do not infect target machines.