Jump to content
  • If you use Linux - watch out for this stealthy new malware

    aum

    • 428 views
    • 2 minutes
     Share


    • 428 views
    • 2 minutes

    Experts have recently discovered an upgraded version of the BPFDoor malware for Linux, that’s seemingly harder to spot - and aAs a result, no antivirus programs are still flagging the executable as malicious.

     

    Cybersecurity researchers from Deep Instinct noted that BPFDoor, which was first discovered in 2022, has been active since at least 2017. The tool got its name from the (ab)use of the Berkley Packet Filter (BPF), which it uses to get instructions and bypass any firewalls.

     

    Its design allows the threat actors to remain undetected on a compromised Linux system for longer periods of time, it was said. BPFDoor’s key feature is allowing threat actors to see all network traffic and find vulnerabilities, as well as sending out remote code through (now) unfiltered and unblocked channels.

     

    An eye on network traffic

     

    Furthermore, BPFDoor is capable of blending malicious traffic with the legitimate one, making detection and remediation even more difficult.

     

    But given that no antivirus still flag BPFDoor as malicious, system administrators’ only way of detecting it is to “vigorously” monitor network traffic and logs, BleepingComputer adds. They should use state-of-the-art endpoint protection solutions, and monitor the file integrity on "/var/run/initd.lock.” as that’s where BPFDoor creates and locks a runtime before forking itself to run as a child process.

     

    TheHackerNews also claims that BPFDoor is usually used by Red Menshen, a threat actor associated with China. The group, active since 2021, has been mostly targeting Linux operating systems belonging to telecommunications providers in the Middle East and Asia, as well as government organizations, education firms, and logistics companies, it says on Malpedia.

     

    After gaining initial access, the group would use various custom tools, such as Mangzamel, Gh0st, Mimikatz, and Metasplit.

     

    Most of the group’s activity takes place during workdays and during working hours (9-5, Monday to Friday).

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...