"Symbiote Is Parasitic Malware That Provides Rootkit-Level Functionality"
The BlackBerry Threat Research & Intelligence team, in collaboration with Intezer security researcher Joakim Kennedy, detailed a new form of Linux malware dubbed Symbiote, which is said to be almost impossible to detect because of its parasitic nature. According to the team, Symbiote differs from typical Linux malware in that it acts as a Shared Object (SO) library that is loaded on all active processes via LD PRELOAD rather than attempting to compromise running processes. The team says the SO library "parasitically" infects a target machine, and once it is thoroughly implanted in the system, the malware gives rootkit functionality to the attackers. One of the several interesting features of Symbiote is that it employs Berkeley Packet Filter (BPF) hooking, a capability designed to conceal malicious traffic on an infected machine. The first sample dates back to November 2021 and appears to have been created to be used against banking firms in Latin America. However, because the malware is new and evasive, the researchers are unsure whether Symbiote is being used in targeted or broad attacks, if at all. This article continues to discuss the discovery and capabilities of the Symbiote Linux malware.
ZDNet reports "Symbiote Is Parasitic Malware That Provides Rootkit-Level Functionality"