The Symbiote is a new malware that has been spotted compromising running processes on Linux operating systems. According to reports, the malware has been developing since last year.
The newly discovered malware has been analysed by cybersecurity researchers who have observed its possessed multiple technical aspects. It steals account credentials and provides backdoor access to its operators upon infecting the target.
After Symbiote injects itself inside all operating processes, it utilises a system-wide threat and leaves no traces of infection. This threat makes it a challenging malware to inspect by security analysts.
Symbiote malware uses a tool to detect data packets and obfuscate their C2 servers.
The Symbiote malware uses the Berkely Packet Filter hooking tool to detect network data packets and hide its communication channels from security solutions. The threat actors also use this malware for automated credential gathering from compromised Linux devices.
In addition, if a malware operator steals an admin credential, they will be enabled by the malware to move freely and laterally across the infected systems.
Symbiote’s primary targets include the finance and banking departments in Brazil and Latin America. Furthermore, the domain names utilised by the malware operators pretend to be big-time Brazilian banks.
For bypassing security solutions, Symbiote injects itself inside the inspection software process and uses the BPF hooking to differentiate the malicious ones from the safe ones. This method is only executed if an admin starts a packet capture on the infected machine to investigate.
The malware also deletes connection entries, runs packet filtering, and removes UDP traffic to hide its network activity on the compromised Linux device. The Symbiote malware can also hook the libpcap and libc functions to perform several actions to obfuscate its existence, such as hiding malicious processes and files distributed with the malware.
Cybersecurity experts claimed that Symbiote is a highly evasive malware despite its development stage. The entity also focuses on capturing credentials and facilitating backdoor access.
The experts recommend that admins use network telemetry to spot sketchy DNS requests. Firms should also consider deploying anti-malware and endpoint detection and response solutions to mitigate the risks from such threats.
