Symbiote Deep-Dive: Analysis of a New, Nearly-Impossible-to-Detect Linux Threat

Symbiote is a new Linux malware Intezer discovered that acts in a parasitic nature, infecting other running processes to inflict damage on machines. Instead of being a standalone executable file that is run to infect a machine, it is a shared object (SO) library that is loaded into all running processes using LD_PRELOAD (T1574.006), and parasitically infects the machine. Once it has infected all the running processes, it provides the threat actor with rootkit functionality: the ability to harvest credentials, and remote access capability. In addition to the rootkit capability, the malware provides a backdoor for the threat actor to log in as any user on the machine with a hardcoded password and to execute commands with the highest privileges. Since it is extremely evasive, a Symbiote infection is likely to “fly under the radar.”

https://community.riskiq.com/article/1f66363e

Symbiote Deep-Dive: Analysis of a New, Nearly-Impossible-to-Detect Linux Threat
Scroll to top
× How can I help you? Available from 08:00 to 22:00