Simbiote – malicious Linux using EBPF and LD_PRELOAD to hide

Researchers from Intezer and BlackBerry found Malicious software, received the code name Simbiote and used for the introduction of backdors and Rootkits on compromised servers running Linux. Malicious software was identified on systems of financial institutions of a number of Latin America. To install Simbiote in the attacking system, the attacker must have a ROOT access, which can be obtained, for example, as a result of the operation of incorporate vulnerabilities or leakage of accounts. Simbiote allows you to consolidate its presence in the system after hacking for further attacks, hiding the activity of other malware and organization of interception of confidential data.

The feature of Simbiote is the distribution in the form of a separated library, which is loaded during the launch of all processes using the LD_PRELOAD mechanism and replaces some calls of the standard library. Flashed call handlers hide activity related to backdor, for example, exclude individual elements in the process of processes, block access to certain Files in /PROC, hide certain files in catalogs, exclude the harmful separated library in LDD output (intercepts the execve function and analyze the calls from the variable environment Ld_trace_loaded_objects) do not show network sockets associated with harmful activity.

To protect against traffic inspecting, the LibpCap library functions, reading filter/NET/TCP is carried out and loading into the EBPF program, which prevents the operation of traffic analyzers and discards third-party requests for their own network processors.
The EBPF program is launched among the first handlers and is performed at the lowest level of the network stack, it allows you to hide the network activity of backdor, including from handlers launched later.

Simbiote also allows you to bypass some activity analyzers in the file system, since the theft of confidential data can not be carried out at the level of file opening, but through the interception of reading operations from these files in legitimate applications (for example, the replacement of library functions allows you to intercept the user of password or the entry of password or Loading from the file data with access key). To organize the remote entrance, Simbiote intercepts some PAM calls (Plugable Authection Module), which allows you to connect to the SSH system with certain attacking accounting data. There is also a hidden possibility of increasing their privileges to the user of Root through the installation of the environment of the environment http_seetthis.



/Media reports.