Unmasking BPFdoor: The Latest Stealthy Linux Malware Linked to Red Menshen

Recently, cybersecurity firm Deep Instinct’s threat lab discovered a new and previously unreported form of the BPFdoor malware. BPFdoor is a low-profile, passive backdoor specific to Linux that enables attackers to re-enter an infected machine for an extended period. Its ability to bypass firewall limitations on incoming traffic is what gives it its name. In this article, we will discuss the characteristics of the malware, its use of Berkeley Packet Filter, its link to the hacking group RedMenshen, and recent developments in its design.

BPFdoor’s use of Berkeley Packet Filter

BPFdoor’s unique characteristic is its use of Berkeley Packet Filter (BPF) to go beyond firewall limits on incoming traffic. By monitoring incoming traffic for a “magic” byte sequence, the malware allocates a memory buffer and starts a packet sniffing socket. BPFdoor runs so low that any firewall limitations on the compromised computer won’t affect this sniffing activity. This method allows attackers to infiltrate the system and operate under the radar without the system’s owner being aware of the breach.

While BPFdoor is not new, as it has been in use for several years, its discovery has added to the growing concerns about the hacking group known as Red Menace (Red Dev 18), who are believed to be the ones behind the malware. This active cybercriminal group has been linked to various cybersecurity incidents targeting financial and government organizations in Europe and Asia.

BPFdoor is a passive backdoor, which enables attackers to re-enter an infected machine undetected. In previous versions, the malware employed RC4 encryption, bind shell, and iptables for communication. Its commands and filenames were hardcoded, making it relatively easy for anti-virus software employing static analysis to detect.

New variants of BPFdoor

Recent variants of BPFdoor have made significant changes to its design. A more recent variant examined by Deep Instinct includes reverse shell communication, static library encryption, and all commands sent by the C2 server. This new design makes it significantly harder to detect and block by anti-virus software that uses static analysis. By removing hard-coded commands, BPFdoor becomes less likely to be discovered.

Benefits of deleting hardcoded commands

With the removal of hardcoded commands, BPFdoor becomes more adaptable to the needs of the attacker. It allows for greater flexibility in executing commands, making it easier to infiltrate the system and extract sensitive information. This aspect of the malware makes it considerably harder to detect and block, making it a severe threat to organizations.

Packet sniffing activity

One of the most significant advantages of BPFdoor is its ability to perform packet sniffing without detection. This method of monitoring traffic allows attackers to gather sensitive information, such as login credentials and other data, which can be used to exploit the system further. BPFdoor’s ability to run so low that it bypasses firewall limitations makes it an effective tool for attackers.

BPFdoor’s Ability to Bypass Firewall Limitations

BPFdoor’s ability to bypass firewall limitations is one of its most powerful features. This feature makes it incredibly difficult to detect and block by firewalls, allowing attackers to enter the system undetected and operate with anonymity. BPFdoor’s ability to remain hidden and undetected for prolonged periods makes it a serious threat to any organization.

In conclusion, the discovery of a new variant of BPFdoor and its continued use by Red Menshen highlights the urgent need for organizations to prepare themselves against such threats. BPFdoor’s unique design, including its use of BPF, packet sniffing, and its ability to bypass firewall limitations, makes it one of the most challenging malware to detect and block. Organizations that ignore these threats may face significant damages and data breaches. It is essential to remain vigilant and adopt a multi-layered security approach to mitigate the risks posed by BPFdoor and other similar malware.

Explore more

Ethereum Uses AI Swarms to Proactively Patch Network Flaws

The architectural integrity of global decentralized networks has reached a pivotal juncture where the speed of malicious exploitation often outpaces the traditional cadence of human-led security audits. To address this widening gap, The Ethereum Foundation has fundamentally transitioned its security strategy from a reactive model to an automated, proactive defense paradigm that leverages the power of machine learning. This shift

How Is ERP Modernization Driving DLA to Audit Readiness?

The Defense Logistics Agency currently manages an intricate global supply chain that serves as the backbone for the United States military, requiring an unprecedented level of financial precision and operational transparency to meet modern oversight requirements. This massive undertaking involves a transition from aging, siloed legacy systems to a unified Enterprise Resource Planning environment designed to provide real-time visibility into

What Makes Odyssey Infostealer a Global Threat to macOS?

The long-standing myth that macOS remains immune to sophisticated cyberattacks has been decisively shattered by the emergence of the Odyssey infostealer, a highly specialized malware variant engineered to bypass modern system integrity protections. This transition represents a fundamental shift in the threat landscape, where the historical security-by-obscurity advantage once enjoyed by Apple users has entirely vanished. As the adoption of

Can AI Secure Windows Without Compromising Stability?

The sheer scale of modern software development has reached a point where manual code review is no longer sufficient to protect the billions of devices running Windows across the globe. As lines of code multiply and interdependencies become more complex, traditional security measures are struggling to keep pace with the rapid evolution of sophisticated digital threats. In response to this

Xero Launches JAX to Redefine Accounting with Agentic AI

Small business owners have historically spent an exhausting amount of time tethered to spreadsheets and receipts, but the emergence of agentic AI is finally turning those static records into a living, breathing financial command center that operates with minimal human oversight. With more than five million global subscribers now integrated into its ecosystem, Xero is spearheading a movement toward Accountable