[ad_1]
Other Detection-Evasion Methods
In another stealthy technique, the malware is loaded by the linker via the LD_PRELOAD directive as a shared object library, as opposed to being a standalone executable file that is executed to infect a machine.
“This allows it to be loaded before any other shared objects,” said Kennedy. “Since it is loaded first, it can ‘hijack the imports’ from the other library files loaded for the application. Symbiote uses this to hide its presence on the machine by hooking libc and libpcap functions.”
The malware has capabilities to harvest credentials via the libc read function, which are both stored locally and exfiltrated. Attackers can also gain remote access via Symbiote.
“Remote access to the infected machine is achieved by hooking a few Linux Pluggable Authentication Module (PAM) functions,” said researchers. “When a service tries to use PAM to authenticate a user, the malware checks the provided password against a hardcoded password. If the password provided is a match, the hooked function returns a success response. Since the hooks are in PAM, it allows the threat actor to authenticate to the machine with any service that uses PAM.”
Researchers first uncovered the malware in November 2021, and said it appears to be targeting the financial sector in Latin America. They haven’t found enough evidence to determine whether the malware is being used in highly targeted or broad attacks. It’s also not clear how attackers are initially deploying the malware against victims. However, the malware’s stealth makes it particularly difficult for defenders to root out, warned researchers.
“Network telemetry can be used to detect anomalous DNS requests, and security tools such as antivirus and endpoint detection and response (EDR) should be statically linked to ensure they are not ‘infected’ by userland rootkits,” said researchers.
[ad_2]
Source link