Stylized illustration of binary code.

A mature, never-before-seen Linux backdoor that uses novel evasion techniques to hide its presence on the server has been discovered by researchers.

The previously undetected back door combines high levels of access with the ability to scrub any sign of infections from the file system, system processes, and network traffic. It was first detected in November.

The researchers for Intezer andBlackBerry wrote.

What makes Symbiote different from other Linux malware that we usually come across, is that it needs to infect other running processes to inflict damage on infected machines. Instead of being a standalone executable file that is run to infect a machine, it is a shared object (SO) library that is loaded into all running processes using LD_PRELOAD (T1574.006), and parasitically infects the machine. Once it has infected all the running processes, it provides the threat actor with rootkit functionality, the ability to harvest credentials, and remote access capability.

Advertisement

Symbiote will load before any other objects. The library files that are loaded for an application are vulnerable to being tampered with. A summary of the evasions techniques is shown in the image below.

The Berkeley Packet Filter is a piece of software that can be used to hide network traffic.

The researchers wrote that when an administrator starts any packet capture tool, BPF bytecode is injected into the kernels that defines which packets should be captured Symbiote adds its bytecode first so that it can exclude network traffic that it doesn't want the packet-capturing software to see.

libc function hooking is a stealth technique used by Symbiote. Hooking is a data-theft tool used by the Malware. The researchers said that the credential harvesting is done by hooking the libc read function. The credentials are captured if the function is called.

There is no evidence of infections in the wild yet. With stealth this robust, how can we be certain?