They've dubbed it Symbiote, and it was named because of its parasitic nature.

Actual discovery of the strain occurred a few months ago but the team has been studying it since.  It is markedly different from most of the Linux malware you see today, as it acts as a shared object library that is loaded on all running processes via LD_PRELOAD.

Once the malicious code has its hooks in a target machine, it provides the hackers controlling it with rootkit functionality.

The earliest samples of this strain date back to November 2021, and based on an analysis of its code, its primary targets were intended to be financial institutions located in Latin America.

The researchers had this to say about their recent discovery:

"When an administrator starts any packet capture tool on the infected machine, BPF bytecode is injected into the kernel that defines which packets should be captured.  In this process, Symbiote adds its bytecode first so it can filter out network traffic that it doesn't want the packet-capturing software to see. When we first analyzed the samples with Intezer Analyze, only unique code was detected.  As no code is shared between Symbiote and Ebury/Windigo or any other known [Linux] malware, we can confidently conclude that Symbiote is a new, undiscovered Linux malware."

The Linux ecosystem isn't targeted as often as Apple, Windows, or Android. So the fact that this new threat has emerged is noteworthy indeed.  If you have any Linux infrastructure on your network, be sure to stay aware of this new potential threat.

Used with permission from Article Aggregator