A new variant of the Linux malware 'BPFDoor' has recently surfaced, demonstrating enhanced stealth capabilities. This updated version showcases stronger encryption and improved reverse shell communications. BPFDoor, originally associated with the Chinese threat actor Red Menshen (AKA Red Dev 18), is specifically designed to establish a persistent presence in compromised networks. It enables attackers to regain access to infected systems over a prolonged period. Since 2021, it has targeted telecommunications providers, government entities, educational institutions, and logistics sectors across the Middle East and Asia.
Diving into details
Prior to 2022, BPFDoor utilized RC4 encryption, bind shell and iptables for communication. Commands and file names were hardcoded within the malware's code.
However, the latest version introduces significant changes. It incorporates static library encryption, employs reverse shell communication, and relies on the C2 server to send commands.
Deep Instinct reports that the latest version of BPFDoor has not been flagged as malicious by any available antivirus engines on the platform.
Attack flow
When activated on an infected system, BPFdoor creates and locks a runtime file (/var/run/initd.lock) and spawns child processes, disabling input and output signals. It allocates buffer memory, sets up a packet-sniffing socket, and monitors incoming traffic for a specific byte sequence (\x44\x30\xCD\x9F\x5E\x14\x27\x66).
If found, the backdoor attaches a Berkeley Packet Filter to the socket, capturing data from ports 22 (SSH), 80 (HTTP), and 443 (HTTPS).
Operating at a low level, the malware bypasses application-level firewall restrictions.
Upon receiving the designated message, it forks into parent and child processes, with the child establishing a connection to the C2 and awaiting further instructions.
Why this matters
The malware developers achieve enhanced stealth and obfuscation by integrating encryption directly within a static library. This approach eliminates the need for external libraries, such as the one featuring the RC4 cipher algorithm, thus evading detection more effectively.
The use of reverse shell communication offers a notable advantage over bind shell. With reverse shell, the infected host establishes a connection to the threat actor's command and control servers. This enables communication with the attackers' servers even when network protection is in place, including firewalls.
Furthermore, the removal of hardcoded commands reduces the likelihood of detection by antivirus software using static analysis, such as signature-based detection. This modification theoretically provides the malware with increased flexibility to support a wider range of commands.
The bottom line
Due to its undetectable nature, BPFDoor poses a significant challenge for security software. As a result, system administrators are left with limited options to safeguard their systems. To mitigate the risks associated with BPFDoor, admins should prioritize rigorous monitoring of network traffic and logs. Additionally, deploying state-of-the-art endpoint protection solutions can provide an added layer of defense. Lastly, regularly monitoring the file integrity on "/var/run/initd.lock" can help identify any unauthorized changes and potential indications of BPFDoor's presence.