Experts have recently discovered an upgraded version of the BPFDoor malware for Linux (opens in new tab), that’s seemingly harder to spot – and aAs a result, no antivirus programs are still flagging the executable as malicious.
Cybersecurity researchers from Deep Instinct noted that BPFDoor, which was first discovered in 2022, has been active since at least 2017. The tool got its name from the (ab)use of the Berkley Packet Filter (BPF), which it uses to get instructions and bypass any firewalls.
Its design allows the threat actors to remain undetected on a compromised Linux system for longer periods of time, it was said. BPFDoor’s key feature is allowing threat actors to see all network traffic and find vulnerabilities, as well as sending out remote code through (now) unfiltered and unblocked channels.
An eye on network traffic
Furthermore, BPFDoor is capable of blending malicious traffic with the legitimate one, making detection and remediation even more difficult.
But given that no antivirus still flag BPFDoor as malicious, system administrators’ only way of detecting it is to “vigorously” monitor network traffic and logs, BleepingComputer adds. They should use state-of-the-art endpoint protection solutions, and monitor the file integrity on “/var/run/initd.lock.” as that’s where BPFDoor creates and locks a runtime before forking itself to run as a child process.
TheHackerNews also claims that BPFDoor is usually used by Red Menshen, a threat actor associated with China. The group, active since 2021, has been mostly targeting Linux operating systems belonging to telecommunications providers in the Middle East and Asia, as well as government organizations, education firms, and logistics companies, it says on Malpedia.
After gaining initial access, the group would use various custom tools, such as Mangzamel, Gh0st, Mimikatz, and Metasplit.
Most of the group’s activity takes place during workdays and during working hours (9-5, Monday to Friday).
Via: BleepingComputer (opens in new tab)