Jump to content
  • This Linux backdoor went undetected for 10 years

    aum

    • 557 views
    • 3 minutes
     Share


    • 557 views
    • 3 minutes

    New details have emerged regarding a previously undetected Linux backdoor that is believed to have been created by the notorious Equation Group which has ties to the US National Security Agency (NSA).

     

    According to a new report from the cybersecurity firm Pangu, security researchers from its Advanced Cyber Security Research team first found the malware behind the backdoor back in 2013 while conducting a “forensic investigation of a host in a key domestic department”. At that time, the team decided to name the malware Bvp47 due to the fact that the most common string in the sample was “Bvp” and 0x47 was the numerical value used in its encryption algorithm.

     

    Despite the fact that Bvp47 was submitted to Virus Total's antivirus database almost a decade ago, it only appeared in one antivirus engine. Things have changed with the release of Pangu's report and it has now been flagged by six antivirus engines according to BleepingComputer.

     

    During the almost ten years that the Bvp47 malware went undetected, it was used to hit more than 287 organizations in 45 countries with a focus on targets in the telecommunications, military, higher-education, financial and science sectors.

     

    Ties to the Equation Group

     

    The Bvp47 sample that was obtained from Pangu's Advanced Cyber Security Research team back in 2013 turned out to be an advanced Linux backdoor that also contained a remote control function protected using the RSA asymmetric encryption algorithm.

    As such it requires a private key to enable and this private key was found in a series of leaks published by the Shadow Brokers hacking group during 2016-2017. The leaks themselves also contained hacking tools and zero-day exploits used by the Equation Group which is suspected of having ties to the NSA's Tailored Access Operations unit.

     

    Some of the components found in these leaks such as “dewdrop” and “solutionchar_agents” were integrated into the Bvp47 framework which indicates that its backdoor could be used on Unix-based operating systems such as the mainstream Linux distros JunOS, FreeBSD and Solaris.

     

    Based on automated analysis of the backdoor by Kaspersky's Threat Attribution Engine (KTAE), 34 out of 483 strings found in Bvp47 match those from from another Equation Group-related sample for Solaris SPARC systems. There was also a 30 percent similarity with another malware sample from the Equation Group which was submitted to Virus Total back in 2018.

     

    Director of global research and the analysis team at Kapsersky, Costin Raiu told BleepingComputer that Bvp47's code-level similarities also match one other sample in its malware collection. This is a good indication that use of this malware wasn't widespread as is often the case with hacking tools created by high-level threat actors that only deploy them in highly targeted attacks.

     

    Now that Bvp47's Linux backdoor has finally come to light, security researchers will likely conduct further analysis on it and we could see more evidence that it was used in other past attacks as well.

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...