A previously undocumented and largely undetected variant of the Linux backdoor is called BPFDoor has been seen in the wild, cybersecurity firm Deep Instinct said in a technical report published this week.
“BPFDoor maintains its reputation as highly stealthy and difficult to detect malware with this latest iteration,” security researchers Shaul Vilkomir-Preisman and Eliran Nissan said.
BPFDoor (aka JustForFun), first documented by PwC And Elastic Safety Laboratory in May 2022, is a passive Linux backdoor associated with a named Chinese threat actor Menshen Red (alias Firm Architect or Red Dev 18), which is known to select telecom providers across the Middle East and Asia since at least 2021.
Malware is specifically targeted establish persistent remote access to a compromised target environment for an extended period of time, with evidence suggesting that the hacking crew operated a backdoor undetected for years.
BPFDoor gets its name from the use of Berkeley Packet Filters (BPF) – a technology that makes it possible to analyze and filter network traffic in Linux systems – for network communications and processing incoming commands.
This allows threat actors to penetrate victim systems and execute arbitrary code without being detected by firewalls, while filtering out unnecessary data.
Deep Instinct findings come from a BPFDoor artifact which was uploaded to VirusTotal on February 8, 2023. At the time of writing, only three security vendors marked ELF binaries as dangerous.
One of the main characteristics that makes the new version of BPFDoor even more evasive is the removal of many hard-coded indicators and instead incorporates a static library for encryption (libtomcrypt) and a reverse shell for command-and-control (C2) communication.
When launched, BPFDoor is configured to ignore various operating system signal to prevent it from being stopped. It then allocates memory buffers and creates special packet sniffing sockets that monitor specific incoming traffic Magic Byte Order by associating a BPF filter to a raw socket.
“When BPFdoor encounters a packet containing Magic Bytes in filtered traffic, it will treat it as a message from its operator and will parse the two fields and will fork again,” the researchers explained.
“The parent process will continue and monitor the filtered traffic coming through the socket while the child will treat the previously parsed fields as command-and-control IP-Port combinations and will attempt to contact them.”
In the final stage, BPFDoor sets up an encrypted backshell session with the C2 server and waits for further instructions to be executed on the compromised machine.
The fact that BPFDoor has remained under wraps for such a long time speaks to its sophistication, especially with threat actors increasingly developing malware targeting Linux systems due to its prevalence in enterprise and cloud environments.
Its development comes as Google announced The new extended Berkeley Package Filter (eBPF) fuzzy framework is called Bell to help harden Linux core and ensure that sandboxed programs running in privileged contexts are valid and secure.
The tech giant further said the test method led to the discovery of a security weakness (CVE-2023-2163) which can be exploited to achieve arbitrary kernel memory reads and writes.