New Stealthy Variant of BPFDoor Linux Backdoor Discovered

Reading Time: ( Word Count: )

May 12, 2023

“New Stealthy Variant of BPFDoor Linux Backdoor Discovered”

According to a recent technical report by cybersecurity firm Deep Instinct, a new variant of the Linux backdoor, BPFDoor, has been discovered. The malware is known for being extremely difficult to detect and has been associated with a Chinese threat actor called Red Menshen. This group is believed to have targeted telecom providers in the Middle East and Asia since at least 2021.

BPFDoor is a passive Linux backdoor that establishes persistent remote access to a compromised system. The virus accomplishes this by analyzing and filtering network traffic on Linux machines for network interactions and processing new orders with Berkeley Packet Filters (BPF).  Blocking superfluous traffic enables attackers to run arbitrary programs without the antivirus program detecting it.

Linux Backdoor

The latest version of BPFDoor is even more evasive than previous iterations due to its removal of hard-coded indicators. Instead, it includes an inverse shell for command-and-control (C2) interaction and an inbuilt decryption module (libtomcrypt). Additionally, the virus disregards several operating system alerts to avoid being removed.

The BPFDoor artifact that Deep Instinct used to make its discoveries was posted to VirusTotal on February 8, 2023. Just three security companies have labeled the ELF file to be harmful as of the present moment. However, given the malware’s ability to remain hidden for long periods, it is likely that it has been used in attacks that have gone undetected.

The fact that BPFDoor has remained hidden for a long time speaks to its sophistication. It highlights the increasing need for protection against malware targeting Linux systems, which are prevalent in enterprise and cloud environments.

In response to this threat, Google has announced the development of a new extended Berkeley Packet Filter (eBPF) fuzzing framework called Buzzer. This framework will aid in the strengthening of the Linux kernel and guarantee the legitimacy and security of sandboxed programs executed in protected contexts.

Saher Mahmood

Saher Mahmood


Saher is a cybersecurity researcher with a passion for innovative technology and AI. She explores the intersection of AI and cybersecurity to stay ahead of evolving threats.

Other interesting articles

Automated vs Manual Penetration Testing

Automated vs Manual Penetration Testing

Pentesting is largely divided into two methodologies: Automated vs Manual Penetration Testing. Both have ...
8 Steps in Penetration Testing You Should Know

8 Steps in Penetration Testing You Should Know

Mastering the art of penetration testing has become a critical ability for security experts to combat cyber ...
Spear Phishing vs Whaling: What is the Difference

Spear Phishing vs Whaling: What is the Difference

Spear phishing is a particularly devious type of phishing assault in which the individual targeted plays a ...

Submit a Comment

Your email address will not be published. Required fields are marked *