Skip Navigation
BlackBerry ThreatVector Blog

Threat Flash: A New Linux Threat Identified—Symbiote

In pop culture, a symbiote often gives a host superhuman ability (and occasionally also hilarious inner monologue). But in real life, parasitic symbionts can drain a host to the brink of death without them even being aware. In a new joint research endeavor by Intezer and the BlackBerry Research & Intelligence Team, we discovered a new undiscovered malware that operates as a symbiote affecting Linux® operating systems, hiding itself within running processes and covering its network traffic, so an attacker can steal a victim’s resources.

The full blog, “Symbiote: a New, Nearly-Impossible-to-Detect Linux Threat,” explores this threat in depth. Read the report here.

Watch our teaser video below to learn more about Symbiote.


Digital Symbiosis

The main objective of this malware we call “Symbiote” is to capture credentials and to facilitate backdoor access to a victim’s machine. Since the malware has so many ways to hide itself, including rootkit functionality, detecting an infection can be difficult. But Symbiote has even greater functionality in its bag of tricks.

What makes Symbiote different from other Linux malware is its ability to infect running processes, rather than using a standalone executable file to inflict damage. Once the threat has thoroughly insinuated itself into a victim’s machine, it enables rootkit functionality to further hide evidence of its presence.

Hiding Its Network Traffic

This threat doesn’t just hide its presence on the file system; it also hides its network traffic by using Berkeley Packet Filter (BPF) hooking functionality.

How this technique works: When an administrator starts any packet capture tool on the infected machine, BPF bytecode is injected into the kernel that defines which packets should be captured. In this process, Symbiote adds its bytecode first so it can filter out network traffic that it doesn’t want the packet-capturing software to see.

Seeking Extraordinary Rewards

You might wonder what kind of target would warrant such a robust feature set. When the first samples of Symbiote were found in early 2022, it appeared they were targeting the financial sector in Latin America. Domain names used by the malware indicated the threat actors were impersonating Brazilian banks, which suggests that these banks or their customers were potential targets.

In addition to providing the threat actor with the ability to remotely access victim machines, this malware also allows the attacker to perform automatic credential harvesting.

Symbiote is one of the most sophisticated Linux threats we’ve seen in recent times, but trends we’ve observed in the current threat landscape suggest it won’t be the last. As attackers increasingly focus their attention on Cloud servers and workloads, we anticipate seeing Linux threats on the rise. The global BlackBerry Threat Research & Intelligence Team, along with partners like Intezer, will continue identifying, analyzing, and reporting threats such as Symbiote, as well as contributing to building the countermeasures needed to mitigate their impact.

Read the full report here.

Intezer Labs

About Intezer Labs

Keep noise, false positives, and alerts from overwhelming your team. Intezer helps security teams close skill gaps and move faster by automating processes for alert triage, incident response, and threat hunting. Empower your team with technology that simulates the knowledge and decision-making process of experienced threat analysts and reverse engineers. With Intezer’s powerful platform, both new and experienced analysts can quickly identify malware families and extract artifacts for detection and hunting. Follow us at @intezerlabs or read more at www.intezer.com.


Ismael Valenzuela

About Ismael Valenzuela

Ismael Valenzuela is Vice President of Threat Research & Intelligence at BlackBerry, where he leads threat research, intelligence, and defensive innovation. Ismael has participated as a security professional in numerous projects across the globe for over 20+ years, which included being the founder of one of the first IT Security consultancies in Spain.

As a top cybersecurity expert with a strong technical background and deep knowledge of penetration testing, security architectures, intrusion detection, and computer forensics, Ismael has provided security consultancy, advice, and guidance to large government and private organizations, including major EU Institutions and US Government Agencies.

He holds many professional certifications, including the highly regarded GIAC Security Expert (GSE #132) in addition to GREM, GCFA, GCIA, GCIH, GPEN, GCUX, GCWN, GWAPT, GSNA, GMON, CISSP, ITIL, CISM, and IRCA 27001 Lead Auditor from Bureau Veritas UK.