New Stealthy Variant of Linux Malware BPFDoor Discovered
A new version of the Linux malware BPFDoor has been discovered, which is more stealthy and has stronger encryption and reverse shell communications. BPFDoor is a backdoor malware that was first discovered by security researchers about a year ago but has been active since 2017.
The malware uses the ‘Berkley Packet Filter’ (BPF) to receive instructions and bypass incoming traffic firewall restrictions.
The new variant of BPFDoor analyzed by Deep Instinct incorporates static library encryption, reverse shell communication, and sends all commands from the command and control (C2) server. This version removes the reliance on external libraries like RC4 cipher algorithm, enhances stealth and obfuscation, establishes connections from the infected host to the C2 servers, and removes hardcoded commands to avoid detection by antivirus software.
When BPFDoor is executed, it creates and locks a runtime file, forks itself to run as a child process, and ignores various operating system signals. It then allocates a memory buffer and creates a packet sniffing socket to monitor incoming traffic for a specific byte sequence. The malware attaches a BPF to the socket to read only UDP, TCP, and SCTP traffic through specific ports, regardless of any firewall restrictions.
When BPFDoor detects a packet containing its “magic” bytes, it treats it as a message from its operator, parses out fields, and forks itself again. The parent process continues to monitor the filtered traffic, while the child process establishes a connection with the C2 using the parsed IP-Port combination. The malware then sets up a reverse shell and awaits commands from the server.
The latest version of BPFDoor has not been flagged as malicious by any available antivirus engines on VirusTotal, despite being submitted in February 2023.
To detect BPFDoor, system administrators are advised to monitor network traffic and logs, use advanced endpoint protection products, and monitor the file integrity of “/var/run/initd.lock”.
–
Indicators of Compromise
| SHA |
|---|
| afa8a32ec29a31f152ba20a30eb483520fe50f2dce6c9aa9135d88f7c9c511d7 |
MITRE ATT&CK
| Tactic | Technique | Description | Observable |
|---|---|---|---|
| Command and Control Defense Evasion Persistence | T1205 - Traffic Signaling | Attacker employs “magic” values to trigger response. | “Magic” byte sequence |
| Command and Control Defense Evasion Persistence | T1205.002 - Traffic Signaling: Socket Filters | Attacker attaches filter to a network socket. | Usage of Berkley Packet Filter |
| Command and Control | T1573 - Encrypted Channel | Attacker employs encrypted Command & Control communication. | Usage of libtomcrypt |
| Execution | T1106 – Native API | Attacker calls upon native OS APIs in order to execute behaviors. | Usage of popen |