A new Linux malware dubbed BPFdoor has been recently identified. Its targets have been Linux and Solaris systems and what’s more, is that it has passed unnoticed for over 5 years.
More Details on the BPFdoor Malware
BPF can be described as a Linux/Unix backdoor that lets hackers establish a connection to a Linux shell remotely and was detailed in a report by DoublePulsar and also in a report by Sandfly Security. This way, threat actors can further achieve access to a device that is compromised.
This malware shows the following features:
doesn’t have to open ports; firewalls cannot block it; has the capacity to reply to commands from any web-based IP address.
Because BPFDoor doesn’t open any inbound network ports, doesn’t use an outbound C2, and it renames its own process in Linux (so ps aux, for example, will show a friendly name) it is highly evasive.
The malware is also a passive backdoor. What does that mean? It can monitor one or more ports for incoming packets from one or more hosts, which threat actors can use to remotely execute commands on the infiltrated network.
A Berkeley Packet Filter sniffer is employed by this backdoor