Official forum for Utopia Community

You are not logged in.

#1 2023-05-13 21:57:57

Registered: 2023-01-04
Posts: 676

A New Stealthy Linux Backdoor Variant Called BPFDoor Emerges

According to a technical report released this week by cybersecurity company Deep Instinct, a previously unreported and largely undetected variation of a Linux backdoor known as BPFDoor has been discovered in the wild.

With this most recent version, security researchers Shaul Vilkomir-Preisman and Eliran Nissan said that BPFDoor "retains its reputation as an extremely stealthy and difficult-to-detect malware.".

The Chinese threat actor Red Menshen (also known as DecisiveArchitect or Red Dev 18), who has been known to target telecom providers in the Middle East and Asia since at least 2021, is linked to the passive Linux backdoor known as BPFDoor (also known as JustForFun), which was first discovered by PwC and Elastic Security Labs in May 2022.

Evidence suggests that the hacking group operated the backdoor undetected for years. The malware is specifically designed to establish persistent remote access to compromised target environments for extended periods of time.

Berkeley Packet Filters (BPF), a technology that allows Linux systems to analyze and filter network traffic, are used by BPFDoor to process incoming commands and conduct network communications.

Threat actors are able to enter a victim's system in this way, filter out unnecessary data, and execute arbitrary code without being noticed by firewalls.

The information from Deep Instinct is based on a BPFDoor artifact that was published on VirusTotal on February 8, 2023. Only three security vendors have labeled the ELF binary as malicious as of this writing.

The removal of many hard-coded indicators and the replacement of them with a static encryption library (libtomcrypt) and a reverse shell for command-and-control (C2) communication are two important features that make the new version of BPFDoor even more evasive.

backdoor for Linux.
To avoid being terminated, BPFDoor is set up at launch to disregard a number of operating system signals. Then, after allocating a memory buffer, it creates a special socket for packet sniffing that attaches a BPF filter to the raw socket and watches for incoming traffic with a particular Magic Byte sequence.

According to the researchers, "BPFdoor will treat a packet containing its Magic Bytes in the filtered traffic as a message from its operator, parse out two fields, and fork itself once more.".

The child process will attempt to contact the parent process by treating the previously parsed fields as a command-and-control IP-Port combination while the parent process will continue to monitor the filtered traffic passing through the socket. ".


Board footer

Powered by FluxBB