A new, more stealthy variant of the BPFDoor Linux malware, active since 2017, has been discovered. This version features more secure encryption, as well as a mechanism for communicating with reverse shells.
BPFDoor (aka JustForFun) is a backdoor that was first discovered by experts about a year ago, but has been active since at least 2017. The malware got its name from the use of Berkley Packet Filter (BPF) to receive instructions when bypassing firewall restrictions on incoming traffic.
Until now, the backdoor used RC4 encryption, bind shells and iptables for communication, and commands and filenames were hardcoded. As Deep Instinct researchers now say, the newly discovered newer BPFDoor uses different encryption, reverse shells for communications, and all commands are now sent by the C&C server.
In this way, malware developers have achieved improved stealth and obfuscation, as they have eliminated the dependency on external libraries.
Experts write that the main advantage of using reverse shells in the new version is to establish a connection between the infected host and the command and control servers, which ensures communication with the attackers’ servers, even if the victim’s network is protected by a firewall.
In turn, the removal of hard-coded commands from BPFDoor has reduced the likelihood that antivirus software will detect the malware using static analysis (for example, based on signatures). This also gives the malware more flexibility and a more varied set of commands.
Deep Instinct notes that at the time of analysis, the new version of BPFDoor was not identified as malicious by any of the available antivirus engines on VirusTotal, although it first appeared on the platform back in February 2021.
