[dba-Tech] Symbiote malware uses Berkeley Packet Filter to hide itself from detection on Linux

[John Bartow]

I thought this was an "innovative" use of a packet filter. This is new enough I am certain there is nothing to patch, yet. 

"In a new joint research endeavor by https://www.intezer.com/ and the https://blogs.blackberry.com/en, we discovered a new undiscovered malware that operates as a symbiote affecting Linux® operating systems, hiding itself within running processes, so an attacker can steal a victim's resources."

"The main objective of this malware we call "Symbiote" is to capture credentials and to facilitate backdoor access to a victim's machine. Since the malware has so many ways to hide itself, including rootkit functionality, detecting an infection can be difficult. But Symbiote has even greater functionality in its bag of tricks."

"When an administrator starts any packet capture tool on the infected machine, BPF bytecode is injected into the kernel that defines which packets should be captured. In this process, Symbiote adds its bytecode first so it can filter out network traffic that it doesn't want the packet-capturing software to see."

"Domain names used by the malware indicates the threat actors are currently impersonating Brazilian banks, which suggests that these banks or their customers are potential targets. "

https://www.intezer.com/blog/research/new-linux-threat-symbiote/

John B