BlackBerry and Intezer Labs have detailed a new Linux malware, dubbed Symbiote, that uses the Berkely Packet Filter (BPF) hooking functionality to sniff data packets and obfuscate communication channels from security scanners.

What’s unique about Symbiote is that it doesn't use a traditional executable binary, but rather a shared object library that gets loaded into running processes by way of the LD_PRELOAD directory. And since Symbiote is the first to load on a system, it can hook both the libc and libpcap function to perform several actions, such as hiding parasitic processes and hiding various files that are deployed using the malware. Once injected Symbiote can choose which results are displayed. And, according to the researchers, “If an administrator starts a packet capture on the infected machine to investigate some suspicious network traffic, Symbiote will inject itself into the inspection software’s process and use BPF hooking to filter out results that would reveal its activity.”

Symbiote is primarily used for the automated harvesting of credentials and to give operators remote SSH access by way of the PAM service. Most of the Symbiote targets are within the financial sector of Latin America.

Read more about Symbiote on the BlackBerry official blog.