“New Stealthy Variant of BPFDoor Linux Backdoor Discovered”
According to a recent technical report by cybersecurity firm Deep Instinct, a new variant of the Linux backdoor, BPFDoor, has been discovered. The malware is known for being extremely difficult to detect and has been associated with a Chinese threat actor called Red Menshen. This group is believed to have targeted telecom providers in the Middle East and Asia since at least 2021.
BPFDoor is a passive Linux backdoor that establishes persistent remote access to a compromised system. The virus accomplishes this by analyzing and filtering network traffic on Linux machines for network interactions and processing new orders with Berkeley Packet Filters (BPF). Blocking superfluous traffic enables attackers to run arbitrary programs without the antivirus program detecting it.
The latest version of BPFDoor is even more evasive than previous iterations due to its removal of hard-coded indicators. Instead, it includes an inverse shell for command-and-control (C2) interaction and an inbuilt decryption module (libtomcrypt). Additionally, the virus disregards several operating system alerts to avoid being removed.
The BPFDoor artifact that Deep Instinct used to make its discoveries was posted to VirusTotal on February 8, 2023. Just three security companies have labeled the ELF file to be harmful as of the present moment. However, given the malware’s ability to remain hidden for long periods, it is likely that it has been used in attacks that have gone undetected.
The fact that BPFDoor has remained hidden for a long time speaks to its sophistication. It highlights the increasing need for protection against malware targeting Linux systems, which are prevalent in enterprise and cloud environments.
In response to this threat, Google has announced the development of a new extended Berkeley Packet Filter (eBPF) fuzzing framework called Buzzer. This framework will aid in the strengthening of the Linux kernel and guarantee the legitimacy and security of sandboxed programs executed in protected contexts.