Symbiote: A New, Nearly-Impossible-to-Detect Linux Threat
by Dr. Joakim Kennedy
June 9, 2022
BlackBerry Blog
https://blogs.blackberry.com/en/2022/06/symbiote-a-new-nearly-impossible-to-detect-linux-threat
| Notes |
|---|
| Symbiote |
| Linux malware |
| BlackBerry |
| Intezer |
| security researcher |
| LD_PRELOAD |
| shared object |
| rootkit |
| credential harvester |
| remote access |
| earliest detection for Symbiote was November 2021 |
| targeted financial sector in Latin America (LATAM) |
| malware |
| live forensics |
| backdoor |
| hardcoded password |
| command execution |
| root user |
| Berkeley Packet Filter hooking |
| hooking |
| dewdrop (Equation Group) https://reverse.put.as/2021/12/17/knock-knock-whos-there/ |
| hides malicious network traffic |
| hides processes |
| hides files |
| BPF malware |
| libc |
| libpcap |
| RC4 |
| procfs |
| malicious process names: certbotx64, certbotx86, javautils, javaserverx64, javaclientex64, javanodex86 |
| ldd command |
| execve |
| LD_TRACE_LOADED_OBJECTS |
| dynamic linker |
| ld.so |
| hexadecimal |
| linux-vdso (VDSO) |
| ld-linux |
| hooks execve, fopen, fopen64. |
| /proc/net/tcp |
| file descriptor |
| virtual machine |
| bytecode |
| hooks setsockopt – SO_ATTACH_FILTER |
| uses ports 43253 43753 63424 26424, IPv4 or IPv6 |
| hooks libpcap functions pcap_loop, pcap_stats |
| UDP, TCP |
| hooks libc read function to capture ssh/scp credentials |
| writes captured credentials to /usr/include/certbot.h |
| DNS |
| A record |
| DNS exfiltration: PACKET_NUMBER.MACHINE_ID.HEX_ENCODED_PAYLOAD.DOMAIN_NAME |
| checks /etc/resolv.conf, uses 8.8.8.8 (Google DNS) if not configured |
| PAM |
| hooks PAM functions to provide backdoor access via hardcoded passwords |
| SSH |
| exfiltrates passwords gleaned from PAM |
| DNS TXT record request |
| keylogger |
| base64 |
| ed25519 |
| private key |
| shell script |
| bash |
| HTTP_SETTHIS environment backdoor for privilege escalation |
| suid root |
| VirusTotal |
| dnscat2 |
| git[.]bancodobrasil[.]dev ns1[.]cintepol[.]link ns2[.]cintepol[.]link caixa[.]wf |
| Njalla’s Virtual Private Server service |
| VPS |
| IP address |
| passive DNS |
| Cintepol http://www.seplag.mt.gov.br/index.php?pg=ver&id=300&c=38 |
| Federal Police of Brazil |
| antivirus |
| Brazil |
| Symbiote has similarities with Ebury |
| OpenSSH |
| no code reuse between Symbiote and Ebury/Windigo, or any other known malware |
| Intezer Analyze |
| EDR |
| recommendation: monitor for anomalous DNS requests |
| userland rootkit |