Experts have recently discovered an improved version of the BPFDoor malware for Linux, which seems to be harder to detect – as a result, no antivirus still marks this executable as malicious.
Cybersecurity researchers at Deep Instinct have noted that BPFDoor, which was first discovered in 2022, has been active since at least 2017. The tool got its name from its (over)use of the Berkley Packet Filter (BPF) it uses to obtain instructions and bypass any firewalls.
Its design is said to allow cybercriminals to remain undetected on a compromised Linux system for extended periods of time. The key feature of BPFDoor is allowing cybercriminals to see all network traffic and find vulnerabilities, as well as sending remote code through (now) unfiltered and unblocked channels.
An eye on network traffic
What’s more, BPFDoor is able to combine malicious traffic with legitimate traffic, which makes detection and remediation even more difficult.
But given that no antivirus still flags BPFDoor as malicious, the only way system administrators can detect it is by “vigorous” monitoring of network traffic and logs, adds BleepingComputer. They should use state of the art endpoint protection and monitor the integrity of files in “/var/run/initd.lock”. because this is where BPFDoor creates and locks the runtime from forking to run as a child process.
TheHackerNews also claims that BPFDoor is usually used by Red Menshen, a cyber criminal with ties to China. The group, active since 2021, mainly targets Linux operating systems belonging to telecommunications providers in the Middle East and Asia, as well as government organizations, education companies and logistics companies.
After gaining initial access, the group used a variety of custom tools such as Mangzamel, Gh0st, Mimikatz, and Metasplit.
Most of the group’s activities take place on working days and during working hours (9-17, Monday to Friday).
By: Beeping Computer