Linux Symbiote Malware: Attack on the financial sector

Researchers at BlackBerry and Intezer have discovered new Linux malware called “Symbiote”, which is used to target financial institutions across Latin America.

Joakim Kennedysecurity researcher at Intezerand the BlackBerry Research & Intelligence Team, released a report last week highlighting what it does Symbiote different from the others malware Linux, is that it has to infect other running processes to inflict damage on infected machines.

Instead of being a self-executable file, it is run to infect a machine, it is a shared object library (OS) that is loaded into all running processes using LD_PRELOAD (T1574.006)and infects parasitically the car. Once it has infected all the running processes, it provides the threat actor with functionality rootkit. Ability to collect credentials and remote access capability.

The statements of Dmitry Bestuzhev

The Threat Seeker BlackBerry, Dmitry Bestuzhev stated a The Record, that Symbiote is a focused and financially motivated campaign that lives on Linux and is based on the technique of hooking BFP. According to him, it was previously used as one of the most advanced threat actors APT.

Bestuzhev has explained:

The fact that the threat actor behind this campaign reused the BPF functionality indicates that it could be used against any target anywhere in the world. Given the geolocation of the plant applicant, the format of the domain names used for C2C and the apparent familiarity of Brazilian institutions, we believe that the actor of the threat is most likely related to that country. Since Linux ecosystems are usually endpoint-less systems, it makes them a perfect place for such attacks, where flying under the radar is a reality.

I researchers claimed to have discovered Symbiote in November 2021explaining that once it has infected a machine, hides itself and any other malware used by the actor of the threat, making the infections that are very difficult to detect.

Malware is very difficult to detect during forensic investigations and provides a backdoor for the threat actor to log on as any user on the machine with a hard-coded password and execute commands with the highest privileges. The malware also has features that hide network activity on the infected machine.

The difficulty for researchers to find the threat

This ability to work unnoticed made it difficult for researchers to know how widespread the campaign really is. Threat actors even used VirusTotal to see if it could be detected.

The researchers explained:

The goal of the malware, in addition to hiding malicious activity on the machine, is to collect credentials and provide remote access to the threat actor. In addition to storing the credentials locally, the credentials are exfiltrated. The data is encoded in hexadecimal and broken into chunks to be exfiltrated via DNS address record requests to a domain name controlled by the threat actor.

The report notes that Symbiote uses domain names that impersonate the main ones Brazilian banks, suggesting that these banks or their customers are potential targets. A sample examined by the researchers found an address IP connected to the service Virtual Private Server (VPS) di Njalla.

I record DNS passivi showed that the same IP address was resolved to ns1[.]cintepol[.]link e ns2[.]cintepol[.]link a few months earlier. Cintepol is a portal of intelligence provided by federal police of Brazil. The portal allows police officers to access different databases provided by federal police as part of their investigations. The server used for this impersonated domain name was activated in mid-December 2021 until the end of January 2022.

What do you think of this Linux “Symbiote” malware used to attack the financial sector of Latin America? Let us know below in the comments. Don’t forget to follow us on our Instagram page, on all our other social networks and to stay connected on TechGameWorld.com.