Researchers from BlackBerry and Intezer have recently unraveled the Linux-based malware known as Symbiote. This specific malware has been extremely difficult to detect. Instead of using a standalone executable, Symbiote infects running processes. The most recent campaign involving Symbiote occurred in November of 2021, targeting banks in Latin America such as Banco de Brasil and Caixa. Capturing credentials is the main objective of the malware, but it can also create backdoors for threat actors to access and run high privilege commands. One of the few evasion tactics Symbiote uses is the Berkley Packet Filter (BPF) hook functionality, which is what the Equation Group has used previously for covert communication. Symbiote uses the function to hide the malicious traffic it creates on a machine. Another backdoor that has received comparison to Symbiote is Ebury, which was seen back in 2014.
With Symbiote being extremely difficult to detect, organizations will need a comprehensive defense to avoid becoming infected. Anomalous DNS requests can be detected by using network telemetry. Statically linking Anti-Virus (AV) solutions and Endpoint Detection and Response (EDR) will allow for increased security against a possible infection. A list of the IOCs can be found below:
“kerneldev.so.bkp.” Appears to be an early development build.
“mt64_.so.” Missing credential exfiltration over DNS.
“search.so.” First sample with credential exfiltration of DNS.