Categories: News

Linux Symbiote Malware: Attack on the financial sector

Researchers at BlackBerry and Intezer have discovered new Linux malware called “Symbiote”, which is used to target financial institutions across Latin America.

Joakim Kennedysecurity researcher at Intezerand the BlackBerry Research & Intelligence Team, released a report last week highlighting what it does Symbiote different from the others malware Linux, is that it has to infect other running processes to inflict damage on infected machines.

Instead of being a self-executable file, it is run to infect a machine, it is a shared object library (OS) that is loaded into all running processes using LD_PRELOAD (T1574.006)and infects parasitically the car. Once it has infected all the running processes, it provides the threat actor with functionality rootkit. Ability to collect credentials and remote access capability.

The statements of Dmitry Bestuzhev

The Threat Seeker BlackBerry, Dmitry Bestuzhev stated a The Record, that Symbiote is a focused and financially motivated campaign that lives on Linux and is based on the technique of hooking BFP. According to him, it was previously used as one of the most advanced threat actors APT.

Bestuzhev has explained:

The fact that the threat actor behind this campaign reused the BPF functionality indicates that it could be used against any target anywhere in the world. Given the geolocation of the plant applicant, the format of the domain names used for C2C and the apparent familiarity of Brazilian institutions, we believe that the actor of the threat is most likely related to that country. Since Linux ecosystems are usually endpoint-less systems, it makes them a perfect place for such attacks, where flying under the radar is a reality.

I researchers claimed to have discovered Symbiote in November 2021explaining that once it has infected a machine, hides itself and any other malware used by the actor of the threat, making the infections that are very difficult to detect.

Malware is very difficult to detect during forensic investigations and provides a backdoor for the threat actor to log on as any user on the machine with a hard-coded password and execute commands with the highest privileges. The malware also has features that hide network activity on the infected machine.

The difficulty for researchers to find the threat

This ability to work unnoticed made it difficult for researchers to know how widespread the campaign really is. Threat actors even used VirusTotal to see if it could be detected.

The researchers explained:

The goal of the malware, in addition to hiding malicious activity on the machine, is to collect credentials and provide remote access to the threat actor. In addition to storing the credentials locally, the credentials are exfiltrated. The data is encoded in hexadecimal and broken into chunks to be exfiltrated via DNS address record requests to a domain name controlled by the threat actor.

The report notes that Symbiote uses domain names that impersonate the main ones Brazilian banks, suggesting that these banks or their customers are potential targets. A sample examined by the researchers found an address IP connected to the service Virtual Private Server (VPS) di Njalla.

I record DNS passivi showed that the same IP address was resolved to ns1[.]cintepol[.]link e ns2[.]cintepol[.]link a few months earlier. Cintepol is a portal of intelligence provided by federal police of Brazil. The portal allows police officers to access different databases provided by federal police as part of their investigations. The server used for this impersonated domain name was activated in mid-December 2021 until the end of January 2022.

What do you think of this Linux “Symbiote” malware used to attack the financial sector of Latin America? Let us know below in the comments. Don’t forget to follow us on our Instagram page, on all our other social networks and to stay connected on

Published by
Marco Dellapina

Recent Posts

Meta admits the forced removal of abortion pill posts

In these last hours we talk about nothing but the Roe ruling, the right to…

20 mins ago

QVC, from the pioneer of TV shopping to the likeQ streaming app

Born in the United States in 1986 as a TV broadcaster, QVC knows how to…

55 mins ago

The University of San Diego has developed an app to detect Alzheimer’s

The researchers of the'University of San Diego in California they achieved an app capable of…

2 hours ago

Cinema d’iDEA, from De Andrè’s story to women’s cinema

Cinema d'iDEA makes its return with the sixth edition, let's see together the program of…

2 hours ago

Spotify RADAR For Podcasters arrives in Italy: this is what it is

Good news for emerging podcasters. Spotify has in fact launched the program in 14 countries,…

2 hours ago

The new generation Fire 7 tablet arrives in Italy

Amazon announces the arrival in Italy of Fire 7 (2022), the new generation of its…

3 hours ago