Stealthier Version of Linux BPFDoor Malware Spotted in the Wild

Cyber Security Threat Summary:
“A new, stealthier variant of the Linux malware 'BPFDoor' has been discovered, featuring more robust encryption and reverse shell communications. BPFDoor is a stealthy backdoor malware that has been active since at least 2017 but was only discovered by security researchers around 12 months ago. The malware gets its name from the use of the 'Berkley Packet Filter' (BPF) for receiving instructions while bypassing incoming traffic firewall restrictions” (Bleeping Computer, 2023).

The malware is designed for lengthy persistence on impacted Linux systems. Until 2022, the malware was using RC4 encryption, bind shell and iptables for communication with hardcoded commands and filenames. This newer variant features static library encryption, reverse shell communications, and all commands are sent to the malware from an attacker controlled C2 server.

Security Officer Comments:
Encryption via the static library allows for better stealth and obfuscation. The reverse shell improvement over bind shell is that it can establish a connection from the infected host directly to the attackers command and control server, which allows for communication even when a firewall is protecting the network. Lastly, the removal of the hardcoded commands, makes it harder for anti-virus software to detect the malware using static analysis and signature-based detection. All in all, the malware is more flexible and can use a more diverse command set.

Deep Instinct reports that the latest version of BPFDoor is not flagged as malicious by any available AV engines on VirusTotal, despite its first submission on the platform dating February 2023.

T1205 - Traffic Signaling
Attacker employs “magic” values to trigger response.

T1205.002 - Traffic Signaling: Socket Filters
Attacker attaches filter to a network socket.

T1573 - Encrypted Channel
Attacker employs encrypted Command & Control communication.

T1106 – Native API
Attacker calls upon native OS APIs in order to execute behaviors.

Suggested Correction(s):
BPFDoor remains undetected by security software, so system admins may only rely on vigorous network traffic and logs monitoring, the use of state-of-the-art endpoint protection products, and by monitoring the file integrity on "/var/run/initd.lock."

Also, a May 2022 report by CrowdStrike highlighted that BPFDoor used a 2019 vulnerability to achieve persistence on targeted systems, so applying the available security updates is always a crucial strategy against all types of malware.