New Stealthy Variant of Linux Backdoor BPFDoor Emerges from the Shadows

A previously undocumented and mostly undetected variant of a Linux backdoor called BPFDoor has been spotted in the wild, cybersecurity firm Deep Instinct said in a technical report published this week.

“BPFDoor retains its reputation as an extremely stealthy and difficult-to-detect malware with this latest iteration,” security researchers Shaul Vilkomir-Preisman and Eliran Nissan said.

BPFDoor (aka JustForFun), first documented by PwC and Elastic Security Labs in May 2022, is a passive Linux backdoor associated with a Chinese threat actor called Red Menshen (aka DecisiveArchitect or Red Dev 18), which is known to single out telecom providers across the Middle East and Asia since at least 2021.

The malware is specifically geared towards establishing persistent remote access to compromised target environments for extended periods of time, with evidence pointing to the hacking crew operating the backdoor undetected for years.

BPFDoor gets its name from the use of Berkeley Packet Filters (BPF) – a technology that makes it possible to analyze and filter network traffic in Linux systems – for network communications and process incoming commands.

In doing so, threat actors can penetrate a victim’s system and execute arbitrary code without being detected by firewalls, while simultaneously filtering out unnecessary data.

Deep Instinct’s findings come from a BPFDoor artifact that was uploaded to VirusTotal on February 8, 2023. As of writing, only three security vendors have flagged the ELF binary as malicious.

One of the key characteristics that make the new version of BPFDoor even more evasive is its removal of many hard-coded indicators and instead incorporating a static library for encryption (libtomcrypt) and a reverse shell for command-and-control (C2) communication.

Upon launch, BPFDoor is configured to ignore various operating system signals to prevent it from being terminated. It then allocates a memory buffer and creates a special packet sniffing socket that monitors for incoming traffic with a specific Magic Byte sequence by hooking a BPF filter onto the raw socket.

“When BPFdoor finds a packet containing its Magic Bytes in the filtered traffic, it will treat it as a message from its operator and will parse out two fields and will again fork itself,” the researchers explained.

“The parent process will continue and monitor the filtered traffic coming through the socket while the child will treat the previously parsed fields as a command-and-control IP-Port combination and will attempt to contact it.”

In the final stage, BPFDoor sets up an encrypted reverse shell session with the C2 server and awaits further instructions to be executed on the compromised machine.

The fact that BPFDoor has remained hidden for a long duration speaks to its sophistication, what with threat actors increasingly developing malware targeting Linux systems owing to their prevalence in enterprise and cloud environments.

The development comes as Google announced a new extended Berkeley Packet Filter (eBPF) fuzzing framework called Buzzer to help harden the Linux kernel and ensure that sandboxed programs that run in a privileged context are valid and safe.

The tech giant further said the testing method led to the discovery of a security flaw (CVE-2023-2163) that could be exploited to achieve arbitrary reading and writing of kernel memory.