SoylentNews is people
SoylentNews
from the nearly-impossible-is-slightly-possible dept.
Linux Malware Deemed 'Nearly Impossible' to Detect:
Symbiote, discovered in November, parasitically infects running processes so it can steal credentials, gain rootlkit[sic] functionality and install a backdoor for remote access.
A new Linux malware that's "nearly impossible to detect" can harvest credentials and gives attackers remote access and rootkit functionality by acting in a parasitic way to infect targets, researchers said.
Researchers from The BlackBerry Research and Intelligence Team have been tracking the malware, the earliest detection of which is from November 2021, security researcher Joakim Kennedy wrote in a blog post on the BlackBerry Threat Vector Blog published last week.
Researchers have appropriately dubbed the malware—which apparently was written to target the financial sector in Latin America—"Symbiote." In biology, the word means an organism that lives in symbiosis with another organism.
"What makes Symbiote different ... is that it needs to infect other running processes to inflict damage on infected machines," he wrote. "Instead of being a standalone executable file that is run to infect a machine, it is a shared object (SO) library that is loaded into all running processes using LD_PRELOAD (T1574.006), and parasitically infects the machine."
Once Symbiote has infected all the running processes, a threat actor can engage in various nefarious activity, including rootkit functionality, the ability to harvest credentials, and remote access capability, Kennedy said.
In addition to the rootkit capability, the malware also provides a backdoor for the threat actor to log in as any user on the machine with a hardcoded password, and to execute commands with the highest privileges, he added.
[...] Some evasive tactics it uses is that by design, it is loaded by the linker via the LD_PRELOAD directive, which allows it to be loaded before any other shared objects, researchers found. This privilege of being loaded first allows it to hijack the imports from the other library files loaded for the application, they said. In this way, it hide its presence on the machine by hooking libc and libpcap functions, Kennedy said.
"Once the malware has infected a machine, it hides itself and any other malware used by the threat actor, making infections very hard to detect," he explained. "Performing live forensics on an infected machine may not turn anything up since all the file, processes, and network artifacts are hidden by the malware."
In fact, researchers said they themselves could not uncover enough evidence to determine whether threat actors are currently using Symbiote " in highly targeted or broad attacks," he said.
Unusual DNS requests may be one way to detect if the malware is present on a system, researchers noted. However, typical antivirus or other security tools aimed at endpoint detection and response won't pick up Symbiote, making organizations using Linux that rely on those protections at risk, they said.
(Score: -1, Spam) by Anonymous Coward on Thursday June 16 2022, @12:16AM
0.0.0.0 caixa.wf
0.0.0.0 git.bancodobrasil.dev
0.0.0.0 bancodobrasil.dev
0.0.0.0 ns1.cintepol.link
0.0.0.0 ns2.cintepol.link
0.0.0.0 cintepol.link
0.0.0.0 assets.fans
0.0.0.0 caixa.cx
0.0.0.0 dpf.fm
0.0.0.0 dev21.bancodobrasil.dev
0.0.0.0 bancodobrasil.dev
0.0.0.0 cctdcapllx0520.df.caixa.cx
0.0.0.0 cctdcapllx0520.df.caixa.wf
0.0.0.0 webfirewall.caixa.wf
0.0.0.0 x3206.caixa.cx
(Those are C2 servers etc. it uses & the entries in hosts you can use to stall symbiote on Linux)
Additionally - I'd like to thank bradley13 above for the SECURITY ARTICLE I used to get those C&C servers from that Symbiote uses - these types of articles ARE what I referred to the other day regarding addons being crippled by JEWgle etc. AND how hosts are FAR BETTER & that you will end up returning to using hosts files due to JEWgle's bullshit (+ YES, hosts files &/or Firewall rules are invaluable IF you want to REALLY PROTECT YOUR MACHINES from threats online!)
* That's RIGHT - AND just like I pointed out a HUGE ADVANTAGE hosts files have over your soon to be useless adblocker addons for browsers (in slower less efficient usermode - with tests that PROVE that too) right-off-the-bat @ the START of my post you ASSHOLES here allowed to be DOWNMODERATED a few days ago here https://soylentnews.org/comments.pl?noupdate=1&sid=49747&page=1&cid=1252547#commentwrap [soylentnews.org] ?
So what did I point out hosts files do there besides everything browser addons do blocking ads BUT ALSO blocking malware/trackers/scripts/ads & more in their communications back to the invaders??
The FACT that GOOD complete hosts files (like mine, 10 million entries strong to date since 1997) BLOCK & NULLIFY communication to malware C&C servers (C2) or sources of them coming INTO your system along with blocking other threats like trackers/ads/scripts that also tear up your CPU time, memory, messagepassing AND ELECTRICITY BILL just running them (something MANY overlook - since in the "olden days" you had ISAPI/NSAPI libs or C programs running server-side to do that - the 'powers that be' SUCKERED You THAT WAY too).
Browser addons do NOT do that & though uBlock uses hosts? I doubt THEIR LISTS cover these things (as most hosts files don't & are concerned MOSTLY with just adblocking) - my hosts file does due to the FACT I look over security articles everyday for the purpose of defense vs. threats like THIS ONE & tons of others.
Going to "downmod this" too, assholes? I bet you will... fuck you all.
APK
P.S.=> Others here did a few good posts too pointing out proc scannings & that this is basically NT type DLL injection via PRELOAD noted above by many - SO - they are NOT the ASSHOLES I refer to above that INFEST THIS PLACE truly INFECTING IT with sockpuppetry & bogus downmods like I got the other day in the link above & TONS of others times!
Other than those doing what I noted above? Hey, admit it TO YOURSELVES:
What a pack of FUCKING UTTER WEASELS you have around here!
(ESPECIALLY including your owners & moderators who block my IP address & say my "hosts posts are bad" OR "spam" when they are TOTALLY USEFUL on TONS of levels - fuck you pricks)... apk