Linux malware ‘Symbiote’ used to attack Latin American financial sector

Researchers at BlackBerry and Intezer have discovered a new Linux malware named “Symbiote” that is being used to target financial institutions across Latin America.

Joakim Kennedy, security researcher at Intezer, and the BlackBerry Research & Intelligence Team released a report last week highlighting the financially motivated campaign, noting that what makes Symbiote different from other Linux malware is that “it needs to infect other running processes to inflict damage on infected machines.” 

“Instead of being a standalone executable file that is run to infect a machine, it is a shared object (SO) library that is loaded into all running processes using LD_PRELOAD (T1574.006), and parasitically infects the machine. Once it has infected all the running processes, it provides the threat actor with rootkit functionality, the ability to harvest credentials, and remote access capability,” the researchers said. 

BlackBerry threat researcher Dmitry Bestuzhev told The Record that Symbiote is a targeted, financially motivated campaign that lives on Linux and relies on the BFP hooking technique, which he said was previously used as one of the most advanced APT threat actors. 

“The fact the threat actor behind this campaign reused the BPF functionality tells it might be used against any target anywhere in the world,” Bestuzhev explained. 

“Given the implant submitter's geolocation, the format of the domain names used for C2C, and the apparent familiarity of Brazil's institutions, we believe the threat actor is high-likely connected to that country. Since Linux ecosystems usually are end-point free systems, it makes them a perfect spot for such attacks, where flying under the radar is a reality.”

The researchers said they discovered Symbiote in November 2021, explaining that once it has infected a machine, it hides itself and any other malware used by the threat actor, making infections very hard to detect.

The malware is very difficult to discover during forensic investigations and provides a backdoor for the threat actor to log in as any user on the machine with a hardcoded password, and to execute commands with the highest privileges. The malware even has functionality that hides network activity on the infected machine. 

This ability to work undetected has made it difficult for researchers to know how widespread the campaign truly is. The threat actors even used VirusTotal to test whether it could be detected. 

“The malware's objective, in addition to hiding malicious activity on the machine, is to harvest credentials and to provide remote access for the threat actor,” the researchers explained. 

“In addition to storing the credentials locally, the credentials are exfiltrated. The data is hex encoded and chunked up to be exfiltrated via DNS address record requests to a domain name controlled by the threat actor.”

The report notes that Symbiote uses domain names impersonating major Brazilian banks, suggesting that “these banks or their customers are the potential targets.”

One sample examined by researchers “resolved to an IP address that is linked to Njalla’s Virtual Private Server (VPS) service."

"Passive DNS records showed that the same IP address was resolved to ns1[.]cintepol[.]link and ns2[.]cintepol[.]link a few months earlier. Cintepol is an intelligence portal provided by the Federal Police of Brazil,” the report said. 

“The portal allows police officers to access different databases provided by the federal police as part of their investigations. The nameserver used for this impersonating domain name was active from the middle of December 2021 to the end of January 2022.”