Skip to content

BPFDoor malware evolves with stronger encryption and evasion

  • by
  • 3 min read

A new, more covert variant of the BPFDoor Linux malware has been spotted in the wild with capabilities including stronger encryption and reverse shell communication. The malware itself, although active since 2017 was only discovered in 2022 and gets its name from the Berkley Packet Filter (BPF) that it uses for receiving instructions while also helping it bypass firewall restrictions for incoming traffic. 

The malware is supposed to be a low-profile, passive backdoor intended to maintain a persistent, long-term intrusion in already breached networks and systems ensuring an attacker can re-enter any infected system whenever they want post-compromise.

The BPFDoor infection vector. | Source: Deep Instinct

It initially used RC4 encryption, bind shell and iptables for communication and commands as well as filenames were hard-coded. However, this new variant, as analysed by Deep Instinct features static library encryption, reverse shell communications and all commands are sent from a Command and Control (C2) server. 

Static library encryption makes the malware more covert and independent as external libraries for RC4 encryption aren’t required anymore. Switching from reverse shell to bind shell also has advantages as it connects from the infected host to the C2 servers, bypassing any restrictions on incoming traffic.

Last but not least, removing hard-coded commands and file names makes it less likely for antivirus programs to detect the malware while also giving it more flexibility with a bigger, more diverse command set. In fact, this change has been so significant that Deep Instinct reports that no antivirus engine on Virustotal flagged the program as malware, despite the first submission being made as early as February 2023. 

The new version of BPFDoor wasn’t detected despite seven separate scans. | Source: Deep Instinct

Since system admins can’t rely on security software any more, at least until they start flagging this new BPFDoor version, network traffic and log monitoring become the only way to ensure system safety. Additionally, monitoring file integrity of the /var/run/initd.lock file can also help detect any intrusions. 

In the News: Flaw in Essential Addons for Elementor puts 1 million sites at risk

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here:

Exit mobile version