A sophisticated Linux backdoor named BPFDoor has reemerged with advanced variants designed to remain hidden within essential network systems. Recent findings by cybersecurity experts highlight these new versions’ enhanced stealth capabilities.
Targeting Critical Infrastructure
Connected to the Chinese threat group Red Menshen, these BPFDoor variants specifically attack Linux servers embedded in global telecommunications networks. The updated malware employs cutting-edge techniques to evade detection, complicating efforts to eliminate it once embedded in a system.
BPFDoor exploits the Berkeley Packet Filter, a legitimate Linux function for network traffic inspection. It utilizes a custom BPF filter to monitor all incoming packets on an infected machine while avoiding any visible port activity. This allows the malware to remain unnoticed by firewalls and standard scanning tools, waiting for a carefully crafted ‘magic packet’ to activate.
Advanced Evasion Techniques
Rapid7 researchers have identified seven new BPFDoor variants after extensive analysis of almost 300 malware samples. Two notable variants, icmpShell and httpShell, have been recognized for their advancements in maintaining stealth and operating undetected.
These versions employ stateless command-and-control mechanisms alongside ICMP relays, enabling attackers to manage compromised systems without leaving a digital trace. The malware’s residence within telecom infrastructure represents a persistent threat, allowing cybercriminals to intercept and manipulate confidential communications.
Stateless C2 and ICMP Relay Enhancements
The new BPFDoor variants introduce significant changes in communication methods with controllers. Unlike previous versions requiring a hardcoded attacker IP, the new approach uses a -1 flag set to a broadcast IP, allowing for flexible and undetectable command routing.
Should authentication checks fail, the malware does not simply become inactive; instead, it becomes a covert relay within the network. Using ICMP packets, the malware can tunnel commands through internal systems, evading most surveillance tools.
Additionally, BPFDoor opens multiple sockets for TCP, UDP, and ICMP, ensuring continued functionality even if one channel is blocked. On the host, it disguises its activities as legitimate processes, employs timestomping, and cleans up file descriptors to erase evidence of its presence.
Security professionals are advised to monitor raw socket usage on Linux systems, verify process names against legitimate services, and scrutinize unexpected ICMP traffic within networks to counteract this evolving threat.
Stay updated with our latest cybersecurity insights by following us on Google News, LinkedIn, and X. Set CSN as your preferred source on Google for more updates.
