![]() This privilege of being loaded first allows it to hijack the imports from the other library files loaded for the application, they said. Some evasive tactics it uses is that by design, it is loaded by the linker via the LD_PRELOAD directive, which allows it to be loaded before any other shared objects, researchers found. It’s also highly evasive to such a degree that it’s “likely to fly under the radar,” making it extremely difficult to know if it’s even being used by threat actors at all, he said. Symbiote’s behavior isn’t the only thing that makes it unique, researchers said. In addition to the rootkit capability, the malware also provides a backdoor for the threat actor to log in as any user on the machine with a hardcoded password, and to execute commands with the highest privileges, he added. Once Symbiote has infected all the running processes, a threat actor can engage in various nefarious activity, including rootkit functionality, the ability to harvest credentials, and remote access capability, Kennedy said. “Instead of being a standalone executable file that is run to infect a machine, it is a shared object (SO) library that is loaded into all running processes using LD_PRELOAD (T1574.006), and parasitically infects the machine.” “What makes Symbiote different … is that it needs to infect other running processes to inflict damage on infected machines,” he wrote. ![]() The name is an homage to how the malware operates, which is differently than other Linux malware that researchers have encountered, Kennedy explained. Researchers have appropriately dubbed the malware-which apparently was written to target the financial sector in Latin America-”Symbiote.” In biology, the word means an organism that lives in symbiosis with another organism. Researchers from The BlackBerry Research and Intelligence Team have been tracking the malware, the earliest detection of which is from November 2021, security researcher Joakim Kennedy wrote in a blog post on the BlackBerry Threat Vector Blog published last week. ![]() A new Linux malware that’s “nearly impossible to detect” can harvest credentials and gives attackers remote access and rootkit functionality by acting in a parasitic way to infect targets, researchers said.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |