Threat Watch

Analysis of Symbiote Linux Malware Released by BlackBerry and Intezer

Researchers from BlackBerry and Intezer have recently unraveled the Linux-based malware known as Symbiote. This specific malware has been extremely difficult to detect. Instead of using a standalone executable, Symbiote infects running processes. The most recent campaign involving Symbiote occurred in November of 2021, targeting banks in Latin America such as Banco de Brasil and Caixa. Capturing credentials is the main objective of the malware, but it can also create backdoors for threat actors to access and run high privilege commands. One of the few evasion tactics Symbiote uses is the Berkley Packet Filter (BPF) hook functionality, which is what the Equation Group has used previously for covert communication. Symbiote uses the function to hide the malicious traffic it creates on a machine. Another backdoor that has received comparison to Symbiote is Ebury, which was seen back in 2014.


With Symbiote being extremely difficult to detect, organizations will need a comprehensive defense to avoid becoming infected. Anomalous DNS requests can be detected by using network telemetry. Statically linking Anti-Virus (AV) solutions and Endpoint Detection and Response (EDR) will allow for increased security against a possible infection. A list of the IOCs can be found below:

Hash Notes
121157e0fcb728eb8a23b55457e89d45d76a a3b7d01d3d49105890a00662c924

“” Appears to be an early development build.

f55af21f69a183fb8550ac60f392b05df14aa01 d7ffe9f28bc48a118dc110b4c

“” Missing credential exfiltration over DNS.

ec67bbdf55d3679fca72d3c814186ff4646dd7 79a862999c82c6faa8e6615180

“” First sample with credential exfiltration of DNS.

a0cd554c35dee3fed3d1607dc18debd1296fa aee29b5bd77ff83ab6956a6f9d6


45eacba032367db7f3b031e5d9df10b30d016 64f24da6847322f6af1fd8e7f01

“certbotx64.” dnscat2