A new, more covert variant of the BPFDoor Linux malware has been spotted in the wild with capabilities including stronger encryption and reverse shell communication. The malware itself, although active since 2017 was only discovered in 2022 and gets its name from the Berkley Packet Filter (BPF) that it uses for receiving instructions while also helping it bypass firewall restrictions for incoming traffic.
The malware is supposed to be a low-profile, passive backdoor intended to maintain a persistent, long-term intrusion in already breached networks and systems ensuring an attacker can re-enter any infected system whenever they want post-compromise.
It initially used RC4 encryption, bind shell and iptables for communication and commands as well as filenames were hard-coded. However, this new variant, as analysed by Deep Instinct features static library encryption, reverse shell communications and all commands are sent from a Command and Control (C2) server.
Static library encryption makes the malware more covert and independent as external libraries for RC4 encryption aren’t required anymore. Switching from reverse shell to bind shell also has advantages as it connects from the infected host to the C2 servers, bypassing any restrictions on incoming traffic.
Last but not least, removing hard-coded commands and file names makes it less likely for antivirus programs to detect the malware while also giving it more flexibility with a bigger, more diverse command set. In fact, this change has been so significant that Deep Instinct reports that no antivirus engine on Virustotal flagged the program as malware, despite the first submission being made as early as February 2023.
Since system admins can’t rely on security software any more, at least until they start flagging this new BPFDoor version, network traffic and log monitoring become the only way to ensure system safety. Additionally, monitoring file integrity of the /var/run/initd.lock file can also help detect any intrusions.
In the News: Flaw in Essential Addons for Elementor puts 1 million sites at risk