Do you know what questions to ask when you're looking for an IT firm? We're here to help. Get the free guide delivered right to your inbox:
A few months back, Intezer and BlackBerry researchers discovered a new, undetected Linux malware that acts in this parasitic nature. They have aptly named this malware Symbiote. What makes Symbiote different from other Linux malware that they usually come across is that it needs to infect other running processes to inflict damage on infected machines.
Instead of being a standalone executable file that is run to infect a machine, it is a shared object (SO) library that is loaded into all running processes using LD_PRELOAD (T1574.006), and parasitically infects the machine. Once it has infected all the running processes, it provides the threat actor with rootkit functionality, the ability to harvest credentials, and remote access capability.
Unlike most threats, Symbiote also attempts to hide itself from the user. When it was initially discovered, it employed a simple technique of starting after the boot process is complete. This made it easy to spot because it was always configured to start at a very low priority (-15) instead of the normal priority of all Linux programs (0). It does this by setting its nice value to -15 (T1946.062), which is equivalent to starting after all other programs had already been loaded and run on the system.
Though this initially worked for researchers and defenders, past versions of Symbiote ran into trouble. The kernel had reported an error in the shared object on which it is dependent:
"We can't load a shared object module."
After some research, the attackers realized that the above error was caused by a bad COINIT environment variable, but this wasn't very helpful. Symbiote comes with its own COINIT environment variable (T1946.066), which resides in a .conf file that also contains all other configuration for Symbiote. This makes it difficult to analyze without some prior knowledge of what Symbiote does, and why it is doing this.
The attackers eventually realized their mistake and adjusted their code but did so in a way that was unintuitive to researchers. Symbiote's recently discovered version doesn't adjust its priority value anymore, but rather skips the COINIT environment variable completely. Instead, it now runs a pair of bash scripts named hdn-start and hdn-stop, which start and stop the hdn (hard drive) driver respectively.
However, even after fixing this issue for newer versions of Symbiote, researchers still had trouble tracking down the real threat actor leading them to investigate further into why this malware runs these bash scripts through crontab.