Intezer security researchers Joakim Kennedy and the BlackBerry Threat Research and Intelligence Team have analyzed a new Linux malware, which has been given the name Symbiote, which they say is different from most others: it is not a standalone executable file. .
The mode of action of the malware is in fact quite particular: its purpose is to modify the environment variable LD_PRELOAD , used by the dynamic linker to load a library of shared objects. If done globally, it means that every process that will run on the machine will load the libraries indicated in the environment variable, including those of the Symbiote malware.
What is LD_PRELOAD for?
Using LD_PRELOAD allows you to do quite special and nice things . Normally, it contains a series of paths pointing to shared object files. They are files which are not directly executable but which contain within them definitions of functions or other and which can therefore be executed by other programs once loaded into memory.
If a program executable is compiled as "statically linked" all libraries are statically included within the executable, and the dynamic linker (which uses LD_PRELOAD) will not be invoked.
If, on the other hand, an executable is compiled as “dynamically linked”, it will be lighter, thus relying on the libraries provided by the environment in which it is run . Even a simple C program such as a hello world bases its operation on libc. For the uninitiated, the standard C library or libc is the standard library for the C programming language, as specified in the ISO C standard. Libc (whose file that is dynamically linked is lib.so) is the library that provides all basic C functions, for example those defined in stdio.h and stdlib.h such as printf, malloc, and so on.
The peculiarity is that all the libraries present in LD_PRELOAD are loaded before even libc.so. This then allows you to provide personal implementations of the functions exposed by the standard C library. A nice example could for example be to modify the writing functions to stdout / stderr and then modify the output by applying different colors.
Linux Malware: Rare But Dangerous
One of the positives of Linux is that it is “immune” to malware . The truth is that it is not immune by its nature, or rather, it is a highly secure operating system and it is also quite difficult to attack if configured and used well, but it is also true that cybercriminals have little interest in developing malware given the difficulty. application and the few "mainstream" users to use Linux. The game is not worth the candle then.
However, if developed, they can cause more damage . This is because Linux is widely used on most of the world's servers and corporate workstations. The Intezer and BlackBerry teams discovered Symbiote in November 2021 and it appears to have been written to target financial institutions in Latin America . Analysis of the Symbiote malware and its behavior suggest that it may have been developed in Brazil.
“Since he is extremely evasive, a Symbiote infection is likely to 'fly under the radar.' In our research, we have not found sufficient evidence to determine whether Symbiote is used in highly targeted or large attacks "
"Performing live forensic analysis on an infected machine may reveal nothing as all files, processes and network artifacts are hidden by the malware"
An example of a technique used to hide is the following. Among the main objectives of Symbiote we find that of opening backdoors on the system and therefore providing remote access to malicious people . This obviously causes malicious network traffic which could be easily identified using network traffic analysis software. On Linux, the analysis of transmitted / received packets is done thanks to the Berkeley Packet Filter. It is a direct interface to the Data-Link layer of the ISO / OSI stack and allows, among other things, to monitor all packets passing through this layer. What Symbiote does is replace the default functions and thus hide all malicious network packets.
The Symbiote article: The new hard-to-detect Linux malware was written at: Tech CuE | Close-up Engineering .