Threat Research

Symbiote: A New, Nearly-Impossible-to-Detect Linux Threat

Securonix

Symbiote is a highly evasive Linux threat that infects running processes by loading as a shared object via LD_PRELOAD to gain rootkit capabilities and remote access. Researchers describe its stealthy behavior—hiding itself and other malware, evading live forensics, and exfiltrating data via DNS while targeting Latin American financial institutions. hashtags: #Symbiote #Caixa

Keypoints

  • Symbiote infects Linux by loading as a shared object through LD_PRELOAD, enabling infection of all running processes.
  • It operates as a userland rootkit, hiding its own presence and other malware to evade detection.
  • The malware provides a backdoor and credential harvesting via PAM hooks, including a hardcoded password for remote access.
  • Network evasion is achieved through three methods: hooking fopen/fopen64 for /proc/net/tcp, hijacking eBPF filtering, and hooking libpcap to filter UDP traffic.
  • Credential theft and exfiltration occur via hooked libc read, RC4-encrypted storage, and DNS-based data exfiltration to a threat actor domain.
  • Its infrastructure targets Brazilian banks and uses impersonating domains; VirusTotal submissions preceded active infrastructure, suggesting testing/detection evasion.

MITRE Techniques

  • [T1574.006] LD_PRELOAD – The malware is loaded by the linker via the LD_PRELOAD directive. This allows it to be loaded before any other shared objects. ‘Since it is loaded first, it can “hijack the imports” from the other library files loaded for the application.’
  • [T1014] Rootkit – The malware provides rootkit functionality, the ability to harvest credentials, and remote access capability. ‘…rootkit functionality, the ability to harvest credentials, and remote access capability.’
  • [T1056.001] Keylogging – Credential harvesting occurs when ssh/scp processes call hooked read; ‘the credentials are captured when an ssh or scp process calls the function.’
  • [T1036] Masquerading – The malware uses file names that mimic legitimate tools; ‘Some of the file names match those used by Symbiote, while others match names of files suspected to be tools used by the threat actor on the infected machine.’
  • [T1048.003] Exfiltration Over DNS – Data exfiltration occurs via DNS A-record requests to a domain controlled by the threat actor; ‘The data is hex encoded and chunked up to be exfiltrated via DNS address (A) record requests to a domain name controlled by the threat actor.’
  • [T1548.002] Abuse Elevation of Privilege: Setuid – The malware checks HTTP_SETTHIS to elevate to root; ‘the malware changes the effective user and group ID to the root user, and then clears the variable before executing the content…’

Indicators of Compromise

  • [Domain] Banking/financial domain activity – bancodobrasil.dev, caixa.wf
  • [Domain] Impersonating banking domains – caixa.cx, assets.fans
  • [Domain] Credential exfil domains – *.x3206.caixa.cx, *.dev21.bancodobrasil.dev
  • [Process Name] Hidden processes – javaserverx64, javaclientex64
  • [File Name] Hidden files – certbotx64, certbotx86
  • [Port] Hidden ports observed – 43253, 43753

Read more: https://blogs.blackberry.com/en/2022/06/symbiote-a-new-nearly-impossible-to-detect-linux-threat