New Linux Malware 'Nearly Impossible to Detect'

So-called Symbiote malware, first found targeting financial institutions, contains stealthy rootkit capabilities.

Dark Reading Staff, Dark Reading

June 10, 2022

1 Min Read
Illustration of an infected motherboard lit up by malware, with a red bug superimposed on the CPU
Source: Alexander Yakimov via Shutterstock

A new malware variant attacking Linux systems that steals credentials and allows for remote access to victim machines camouflages so well that the researchers studying it say they can't conclude if it's being used in targeted or larger-scale attack campaigns.

Security researchers from Intezer and BlackBerry's Research & Intelligence Team say the so-called Symbiote malware is unusual in that it's not a pure executable file: it's actually a shared object library that loads itself into a machine's running processes using the LD_Preload file in Linux. "Once it has infected all the running processes, it provides the threat actor with rootkit functionality, the ability to harvest credentials, and remote access capability," the researchers wrote in a blog post this week.

Symbiote was first sighted in November of 2021, they said, and at the time appeared to be created for attacking financial institutions in Latin America.

"Once the malware has infected a machine, it hides itself and any other malware used by the threat actor, making infections very hard to detect. Performing live forensics on an infected machine may not turn anything up since all the file, processes, and network artifacts are hidden by the malware. In addition to the rootkit capability, the malware provides a backdoor for the threat actor to log in as any user on the machine with a hardcoded password, and to execute commands with the highest privileges," the researchers wrote.

While detecting the rootkit is a major challenge, the researchers said organizations should watch for anomalous DNS requests. But relying on antivirus and endpoint detection and response tools to detect it is moot: They can be compromised by the rootkit since it's embedded in "userland," the researchers warned.

About the Author

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights