New BPFDoor Linux Backdoor Variant Discovered

Linux backdoor BPFDoor
Written by William Reddy

A new, more secretive version of the BPFDoor Linux backdoor, active since 2017, has been discovered. It demonstrates stronger encryption, as well as a mechanism for communicating with reverse shells.

Let me remind you that we also wrote that Ice Breaker Backdoor Seen in Attacks on Game Companies, and also that New Chinese Malware Alchimist Attacks Windows and Linux.

Overall, as the media points out, Experts note the growing interest of cybercriminals in Linux systems.

BPFDoor (aka JustForFun) is a backdoor that was first discovered by experts about a year ago, but apparently it has been active since at least 2017. The malware got its name from the use of Berkley Packet Filter (BPF) to receive instructions when bypassing firewall restrictions on incoming traffic.

Linux backdoor BPFDoor
BPFDoor Attack

Until 2022, the backdoor used RC4 encryption, bind shells and iptables for communication, and commands and filenames were hardcoded. As Deep Instinct researchers now say, the now-discovered newer BPFDoor uses different encryption, reverse shells for communications, and all commands are now sent by the C&C server.

Linux backdoor BPFDoor
Differences between two versions

In this way, malware developers have been able to achieve improved stealth and obfuscation, as they, in particular, have eliminated the dependency on external libraries.

Experts write that the main advantage of using reverse shells in the new version is to establish a connection between the infected host and the command and control servers, which ensures communication with the attackers’ servers, even if the victim’s network is protected by a firewall.

In turn, the removal of hard-coded commands from BPFDoor has reduced the likelihood that antivirus software will detect malware using static analysis (for example, based on signatures). In theory, this also gives the malware more flexibility and a more varied set of commands.

Deep Instinct notes that at the time of analysis, the new version of BPFDoor was not identified as malicious by any of the available antivirus engines on VirusTotal, although it first appeared on the platform back in February 2023.

About the author

William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several months after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master's degree in cybersecurity, I've started working as a virus analyst in a little anti-malware vendor.

Leave a Comment