A new backdoor malware that delivers complete access to the threat actors has been discovered. According to the researchers, the malware, which is named BPFdoor, can bypass firewall systems and does not require opening new ports for communication.
A passive backdoor
BPFdoor can blend malicious traffic into legitimate traffic seamlessly, which makes it difficult to detect
BPFdoor malware utilizes a Berkeley Packet Filter (BPF) sniffer to see all the network traffic and send packets. The malware itself is defined as a passive backdoor; it can listen to ports for incoming packets from one/several hosts. It is positioned at a low level which makes it undetectable by firewall applications.
The operators of BPFdoor can control the target system by using a magic password. BPFdoor can inspect ICMP, UDP, and TCP packets for specific data values as well as the password from just UDP and TCP. The malware is capable of monitoring any ports even if they are utilized by other services.
When the infected system receives the right magic data and password, the malware activates and becomes a backdoor allowing the execution of remote commands after modifying iptables rules to hide the communications under firewall applications.
While those are happening, it also changes its binary name to a random one from the list below for evasion:
- /sbin/udevd -d
- /sbin/mingetty /dev/tty7
- /usr/sbin/console-kit-daemon –no-daemon
- hald-addon-acpi: listening on acpi kernel interface /proc/acpi/event
- dbus-daemon –system
- hald-runner
- pickup -l -t fifo -u
- avahi-daemon: chroot helper
- /sbin/auditd -n
- /usr/lib/systemd/systemd-journald
Just before the malware runs, it renames itself to /dev/shm/kdmtmpflush. When its job is done, it changes the date of binary to 30th October 2008 before deleting it. The reason for changing the date is thought to be staying hidden when the new files in the system are checked if the deletion process somehow fails.
Detected on Speedtest servers as well
The malware is constantly updated to change the names of processes, files, and commands; which makes it even harder to detect. According to Kevin Beaumont from DoublePulsar, BPFdoor activities have been detected in the U.S., South Korea, Hong Kong, Turkey, India, Vietnam, Myanmar, and some other countries’ organization networks. The malware is also discovered in some Speedtest servers which were running closed-source software.
The researchers of Sandfly Security state that the redirecting feature of BPFdoor is unique and is very dangerous since the malicious traffic seamlessly blends into the legitimate traffic; making it much harder to detect. Some other researchers believe that the malware is backed by Chinese threat actor Red Menshen, which was attacking the communication companies in the Middle East and Asia in 2021.