[MART] - Daily Diary #529 - Meet Symbiote - A Linux Rootkit

[CTAS-MAT]

Hello,
I hope everyone is doing well!

Below is the entry for today.

06/10/2022 - Diary entry #529

Recently published reports disclosed a new malware that targets Linux systems. Named Symbiote, for its ability to hide within running processes and network traffic, it targets mostly financial entities in Latin America, including banks such as Banco do Brasil and Caixa.

Symbionte was first analyzed by our team last year, after we received a sample with the same IOCs present in the articles. Upon execution with the correct privileges, the Rootkit hooks internal Linux functions to hide itself and the contacted URLs. Among the malware capabilities are Remote Code Execution through DNS tunneling, credential exfiltration by hooking Linux PAM API, and keylogging from SSH connections. All the malware communications are done through DNS tunneling using a custom domain registered to mimic financial institutions, revealing that the sample was created to a targeted attack. Stolen credentials are encrypted with RC4 using an embedded key and then written to a local file. Next, the data is hex encoded and chunked to be exfiltrated via DNS (A) address record requests to a domain name controlled by the attackers.

The fact that Symbiote is a malware that tunnels its network communication, the infected machines will only show connections to the regular DNS server, and only the DNS server will reach the malicious domain. Therefore, it's not effective to just block the DOMAIN in the firewall, as no direct connection will be made to it. Additionally, Symbionte Rootkit capabilities allow the malware to stay hidden in the system, hooking Linux internal functions to hide itself from network traffic analysis tools, process viewers and file listing.

Kind Regards,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220610/a79c4602/attachment.htm>