Deep instinct reveals new Linux backdoor variant dubbed BPFDoor
Deep Instinct has discovered the existence of BPFDoor, a previously unreported and exceedingly elusive variation of a Linux backdoor. This backdoor has garnered popularity due to its outstanding stealth qualities, which make it exceedingly difficult to detect.
BPFDoor, also known as JustForFun, is a passive Linux backdoor affiliated with the Chinese threat organization Red Menshen. It gets its name from its use of Berkeley Packet Filters (BPF), a technique extensively used in Linux systems for analyzing and filtering network traffic. It was discovered in May 2022 by PwC and Elastic Security Labs. The threat actors responsible for this backdoor; DecisiveArchitect or Red Dev 18, has been exclusively targeting telecommunications operators in the Middle East and Asia.
This malware’s primary goal is to get persistent remote access to infiltrated computers, allowing threat actors to keep control over the targeted environment for lengthy periods of time. Evidence shows that the BPFDoor hacking team has been operating this backdoor unnoticed for some years.
By employing BPF for network communication and executing received instructions, threat actors can enter a victim’s machine and run malicious malware without being detected by typical firewalls. It has now removed several hard-coded indications and included a static library for encryption (libtomcrypt) as well as a reverse shell for command-and-control (C2) communication. These changes greatly add to the malware’s evasiveness, making identification even more difficult.
BPFDoor carefully ignores numerous operating system signals throughout operation to avoid termination. It then creates a memory buffer and connects to a packet sniffing connection to watch incoming traffic for a certain Magic Byte sequence. The virus interprets packets containing its Magic Bytes as communications from its operator by using a BPF filter on the raw socket.
The malware extracts two critical fields and then forks, with the parent process attentively watching the filtered traffic and the child process interpreting the parsed data as a command-and-control IP-Port combination, attempting to establish contact. BPFDoor then opens an encrypted reverse shell connection with the C2 server and waits for additional instructions to be executed on the compromised system.
The sources for this piece include an article in TheHackerNews.