Threat Research

How to analyze Linux malware – A case study of Symbiote

Securonix

Symbiote hooks libc and libpcap to hide its activity on Linux, including hiding processes, files, and network connections. It steals credentials from SSH/SCP by hooking the libc read function, encrypts them with RC4, stores them locally, and exfiltrates via DNS to a C2 server. #Symbiote #DNSExfiltration #RC4 #SSH #SCP

Keypoints

  • Symbiote is a 64‑bit ELF shared object that appears to be an early development build with extended functionalities in later analyses.
  • The malware hides activity by implementing hidden_proc and hidden_file to obscure processes and files used during its actions.
  • It can hide network connections by filtering a list of ports and by hijacking injected packet filtering bytecode.
  • Credential theft targets SSH and SCP by hooking the libc read function and acting as a keylogger for those processes.
  • Stolen credentials are encrypted (RC4) and written to a local file before being exfiltrated to a DNS-based C2 channel; the exfiltration uses DNS requests with a specific domain.
  • Its operations rely on dynamic resolution of functions (via dlsym) and extensive use of Linux APIs (e.g., getaddrlist, getifaddrs, getnameinfo) to enumerate system information and craft DNS data.

MITRE Techniques

  • [T1056.001] Keylogging – The malware triggers a keylogger when an SSH or SCP process calls the libc read function: ‘If an SSH or SCP process is calling the libc read function, then hook_read is set to keylogger, which is explained below:’
  • [T1564.001] Hide Artifacts: Hidden Files and Directories – The malware hides the following functions: fopen, fopen64, pam_authenticate, pam_set_item, read, readdir, readdir64, and recvmsg; it implements hidden_proc and hidden_file to conceal activity.
  • [T1049] System Network Connections Discovery – When an application tries to open the “/proc/net/tcp” file, which contains all TCP connections, the execution flow of the hooked function is different: ‘The file is read … /proc/net/tcp …’
  • [T1048.003] Exfiltration Over DNS – The encrypted credentials are hex-encoded and split to be exfiltrated via DNS requests to a domain owned by the threat actor: ‘…exfiltrated via DNS requests to a domain owned by the threat actor.’
  • [T1027] Obfuscated/Compressed Files and Information – The credentials extracted from SSH or SCP are encrypted using the RC4 algorithm (key = “suporte42atendimento53log”).

Indicators of Compromise

  • [SHA256] 121157e0fcb728eb8a23b55457e89d45d76aa3b7d01d3d49105890a00662c924 – Sample hash for the Symbiote ELF binary
  • [Domain] px32.nss.atendimento-estilo[.]com – C2 DNS exfiltration domain
  • [File] /usr/include/linux/usb/usb.h – Created/written file to store credentials
  • [File] /tmp/resolv.conf – Used to locate a DNS nameserver if present
  • [IP] 8.8.8.8 – Google DNS fallback for DNS-based exfiltration
  • [File] /proc/self/exe – Path used to locate the SSH/SCP executable for keylogging
  • [Process] certbotx64, certbotx86 – Processes that are targeted for hiding

Read more: https://cybergeeks.tech/how-to-analyze-linux-malware-a-case-study-of-symbiote/