HomeTechnologyNew ultra-stealthy Linux backdoor isn’t your on a regular basis malware discovery

New ultra-stealthy Linux backdoor isn’t your on a regular basis malware discovery

Stylized illustration of binary code.

Researchers have unearthed a discovery that doesn’t happen all that always within the realm of malware: a mature, never-before-seen Linux backdoor that makes use of novel evasion strategies to hide its presence on contaminated servers, in some circumstances even with a forensic investigation.

On Thursday, researchers from Intezer and The BlackBerry Risk Analysis & Intelligence Crew mentioned that the beforehand undetected backdoor combines excessive ranges of entry with the flexibility to wash any signal of an infection from the file system, system processes, and community visitors. Dubbed Symbiote, it targets monetary establishments in Brazil and was first detected in November.

Researchers for Intezer and BlackBerry wrote:

What makes Symbiote totally different from different Linux malware that we normally come throughout, is that it must infect different working processes to inflict injury on contaminated machines. As an alternative of being a standalone executable file that’s run to contaminate a machine, it’s a shared object (SO) library that’s loaded into all working processes utilizing LD_PRELOAD (T1574.006), and parasitically infects the machine. As soon as it has contaminated all of the working processes, it supplies the risk actor with rootkit performance, the flexibility to reap credentials, and distant entry functionality.

With the assistance of LD_PRELOAD, Symbiote will load earlier than every other shared objects. That permits the malware to tamper with different library information loaded for an software. The picture under reveals a abstract of the entire malware’s evasions strategies.

BPF within the picture refers back to the Berkeley Packet Filter, which permits folks to hide malicious community visitors on an contaminated machine.

“When an administrator begins any packet seize instrument on the contaminated machine, BPF bytecode is injected into the kernel that defines which packets ought to be captured,” the researchers wrote. “On this course of, Symbiote provides its bytecode first so it might probably filter out community visitors that it doesn’t need the packet-capturing software program to see.”

One of many stealth strategies Symbiote makes use of is called libc operate hooking. However the malware additionally makes use of hooking in its function as a data-theft instrument. “The credential harvesting is carried out by hooking the libc learn operate,” the researchers wrote. “If an ssh or scp course of is looking the operate, it captures the credentials.”

Thus far, there’s no proof of infections within the wild, solely malware samples discovered on-line. It’s unlikely this malware is broadly energetic in the meanwhile, however with stealth this strong, how can we make certain?



Please enter your comment!
Please enter your name here

Most Popular

Recent Comments