New ultra-stealthy Linux backdoor isn’t your everyday malware discovery

Scientists have unearthed a discovery that does not manifest all that frequently in the realm of malware: a mature, by no means-ahead of-found Linux backdoor that employs novel evasion approaches to conceal its presence on infected servers, in some situations even with a forensic investigation.

On Thursday, scientists from Intezer and The BlackBerry Threat Analysis & Intelligence Team explained that the earlier undetected backdoor combines higher stages of obtain with the capability to scrub any indicator of infection from the file procedure, technique procedures, and community traffic. Dubbed Symbiote, it targets monetary establishments in Brazil and was 1st detected in November.

Scientists for Intezer and BlackBerry wrote:

What tends to make Symbiote distinct from other Linux malware that we commonly come throughout, is that it wants to infect other operating procedures to inflict injury on infected equipment. Instead of becoming a standalone executable file that is run to infect a device, it is a shared item (SO) library that is loaded into all jogging processes working with LD_PRELOAD (T1574.006), and parasitically infects the equipment. After it has infected all the jogging processes, it delivers the threat actor with rootkit operation, the skill to harvest qualifications, and remote access ability.

With the enable of LD_PRELOAD, Symbiote will load in advance of any other shared objects. That lets the malware to tamper with other library files loaded for an application. The image beneath shows a summary of all of the malware’s evasion procedures.

BPF in the impression refers to the Berkeley Packet Filter, which lets persons to conceal malicious community targeted traffic on an infected machine.

“When an administrator starts off any packet seize resource on the contaminated device, BPF bytecode is injected into the kernel that defines which packets should really be captured,” the researchers wrote. “In this approach, Symbiote adds its bytecode initially so it can filter out network visitors that it does not want the packet-capturing software program to see.”

A single of the stealth procedures Symbiote uses is recognized as libc purpose hooking. But the malware also employs hooking in its purpose as a info-theft tool. “The credential harvesting is done by hooking the libc read function,” the researchers wrote. “If an ssh or scp method is calling the purpose, it captures the qualifications.”

So significantly, there is no evidence of bacterial infections in the wild, only malware samples discovered on the web. It’s unlikely this malware is greatly lively at the second, but with stealth this sturdy, how can we be sure?