Recently, cybersecurity firm Deep Instinct’s threat lab discovered a new and previously unreported form of the BPFdoor malware. BPFdoor is a low-profile, passive backdoor specific to Linux that enables attackers to re-enter an infected machine for an extended period. Its ability to bypass firewall limitations on incoming traffic is what gives it its name. In this article, we will discuss the characteristics of the malware, its use of Berkeley Packet Filter, its link to the hacking group RedMenshen, and recent developments in its design.
BPFdoor’s use of Berkeley Packet Filter
BPFdoor’s unique characteristic is its use of Berkeley Packet Filter (BPF) to go beyond firewall limits on incoming traffic. By monitoring incoming traffic for a “magic” byte sequence, the malware allocates a memory buffer and starts a packet sniffing socket. BPFdoor runs so low that any firewall limitations on the compromised computer won’t affect this sniffing activity. This method allows attackers to infiltrate the system and operate under the radar without the system’s owner being aware of the breach.
While BPFdoor is not new, as it has been in use for several years, its discovery has added to the growing concerns about the hacking group known as Red Menace (Red Dev 18), who are believed to be the ones behind the malware. This active cybercriminal group has been linked to various cybersecurity incidents targeting financial and government organizations in Europe and Asia.
BPFdoor is a passive backdoor, which enables attackers to re-enter an infected machine undetected. In previous versions, the malware employed RC4 encryption, bind shell, and iptables for communication. Its commands and filenames were hardcoded, making it relatively easy for anti-virus software employing static analysis to detect.
New variants of BPFdoor
Recent variants of BPFdoor have made significant changes to its design. A more recent variant examined by Deep Instinct includes reverse shell communication, static library encryption, and all commands sent by the C2 server. This new design makes it significantly harder to detect and block by anti-virus software that uses static analysis. By removing hard-coded commands, BPFdoor becomes less likely to be discovered.
Benefits of deleting hardcoded commands
With the removal of hardcoded commands, BPFdoor becomes more adaptable to the needs of the attacker. It allows for greater flexibility in executing commands, making it easier to infiltrate the system and extract sensitive information. This aspect of the malware makes it considerably harder to detect and block, making it a severe threat to organizations.
Packet sniffing activity
One of the most significant advantages of BPFdoor is its ability to perform packet sniffing without detection. This method of monitoring traffic allows attackers to gather sensitive information, such as login credentials and other data, which can be used to exploit the system further. BPFdoor’s ability to run so low that it bypasses firewall limitations makes it an effective tool for attackers.
BPFdoor’s Ability to Bypass Firewall Limitations
BPFdoor’s ability to bypass firewall limitations is one of its most powerful features. This feature makes it incredibly difficult to detect and block by firewalls, allowing attackers to enter the system undetected and operate with anonymity. BPFdoor’s ability to remain hidden and undetected for prolonged periods makes it a serious threat to any organization.
In conclusion, the discovery of a new variant of BPFdoor and its continued use by Red Menshen highlights the urgent need for organizations to prepare themselves against such threats. BPFdoor’s unique design, including its use of BPF, packet sniffing, and its ability to bypass firewall limitations, makes it one of the most challenging malware to detect and block. Organizations that ignore these threats may face significant damages and data breaches. It is essential to remain vigilant and adopt a multi-layered security approach to mitigate the risks posed by BPFdoor and other similar malware.