• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
new variant of linux backdoor bpfdoor uncovered after years of

New Variant of Linux Backdoor BPFDoor Uncovered After Years of Staying Under the Radar

You are here: Home / General Cyber Security News / New Variant of Linux Backdoor BPFDoor Uncovered After Years of Staying Under the Radar
May 12, 2023

A formerly undocumented and mainly undetected variant of a Linux backdoor known as BPFDoor has been noticed in the wild, cybersecurity company Deep Intuition said in a technological report posted this 7 days.

“BPFDoor retains its reputation as an incredibly stealthy and challenging-to-detect malware with this latest iteration,” security scientists Shaul Vilkomir-Preisman and Eliran Nissan explained.

BPFDoor (aka JustForFun), initially documented by PwC and Elastic Security Labs in May well 2022, is a passive Linux backdoor associated with a Chinese threat actor termed Purple Menshen (aka DecisiveArchitect or Pink Dev 18), which is recognized to one out telecom companies across the Center East and Asia considering the fact that at minimum 2021.

✔ Approved Seller From Our Partners
Mullvad VPN Discount

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).

➤ Get Mullvad VPN with 12% Discount


The malware is specifically geared in direction of establishing persistent distant accessibility to compromised focus on environments for extended intervals of time, with evidence pointing to the hacking crew functioning the backdoor undetected for yrs.

Cybersecurity

BPFDoor will get its name from the use of Berkeley Packet Filters (BPF) – a technology that can make it doable to examine and filter network visitors in Linux methods – for network communications and course of action incoming commands.

In doing so, threat actors can penetrate a victim’s method and execute arbitrary code with no staying detected by firewalls, although at the same time filtering out needless information.

Deep Instinct’s findings occur from a BPFDoor artifact that was uploaded to VirusTotal on February 8, 2023. As of creating, only a few security distributors have flagged the ELF binary as malicious.

Just one of the key traits that make the new model of BPFDoor even much more evasive is its removing of quite a few tricky-coded indicators and alternatively incorporating a static library for encryption (libtomcrypt) and a reverse shell for command-and-control (C2) interaction.

Upon start, BPFDoor is configured to overlook many running method signals to avert it from currently being terminated. It then allocates a memory buffer and makes a unique packet sniffing socket that displays for incoming website traffic with a specific Magic Byte sequence by hooking a BPF filter onto the uncooked socket.

“When BPFdoor finds a packet containing its Magic Bytes in the filtered targeted traffic, it will address it as a information from its operator and will parse out two fields and will yet again fork alone,” the scientists explained.

“The mum or dad process will proceed and watch the filtered visitors coming as a result of the socket while the kid will treat the previously parsed fields as a command-and-command IP-Port blend and will attempt to speak to it.”

Impending WEBINARLearn to Stop Ransomware with True-Time Protection

Be part of our webinar and understand how to halt ransomware attacks in their tracks with authentic-time MFA and support account security.

Help save My Seat!

In the final stage, BPFDoor sets up an encrypted reverse shell session with the C2 server and awaits even further instructions to be executed on the compromised equipment.

The point that BPFDoor has remained hidden for a prolonged period speaks to its sophistication, what with menace actors progressively building malware focusing on Linux units owing to their prevalence in enterprise and cloud environments.

The progress arrives as Google introduced a new prolonged Berkeley Packet Filter (eBPF) fuzzing framework identified as Buzzer to assist harden the Linux kernel and guarantee that sandboxed courses that operate in a privileged context are legitimate and harmless.

The tech giant further more stated the testing technique led to the discovery of a security flaw (CVE-2023-2163) that could be exploited to realize arbitrary studying and producing of kernel memory.

Identified this write-up fascinating? Observe us on Twitter  and LinkedIn to go through much more distinctive information we submit.


Some sections of this posting are sourced from:
thehackernews.com

Previous Post: «solving your teams secure collaboration challenges Solving Your Teams Secure Collaboration Challenges
Next Post: Netgear Routers’ Flaws Expose Users to Malware, Remote Attacks, and Surveillance netgear routers' flaws expose users to malware, remote attacks, and»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • BREAKING: 7,000-Device Proxy Botnet Using IoT, EoL Systems Dismantled in U.S. – Dutch Operation
  • OtterCookie v4 Adds VM Detection and Chrome, MetaMask Credential Theft Capabilities
  • Initial Access Brokers Target Brazil Execs via NF-e Spam and Legit RMM Trials
  • Deploying AI Agents? Learn to Secure Them Before Hackers Strike Your Business
  • Malicious npm Packages Infect 3,200+ Cursor Users With Backdoor, Steal Credentials
  • Beyond Vulnerability Management – Can You CVE What I CVE?
  • Google Rolls Out On-Device AI Protections to Detect Scams in Chrome and Android
  • Chinese Hackers Exploit SAP RCE Flaw CVE-2025-31324, Deploy Golang-Based SuperShell
  • 38,000+ FreeDrain Subdomains Found Exploiting SEO to Steal Crypto Wallet Seed Phrases
  • SonicWall Patches 3 Flaws in SMA 100 Devices Allowing Attackers to Run Code as Root

Copyright © TheCyberSecurity.News, All Rights Reserved.