BleepingComputer reports that systems running on Linux and Solaris have been targeted by the BPFdoor backdoor malware for over five years without being detected.
Using a Berkeley Packet Filter sniffer, BPFdoor was found not to have any firewall rule adherence. The backdoor malware, which could also be ported to BSD, launches anti-forensic actions, and alters "iptables" rules, as well as renames and changes the data of the binary prior to deletion in an effort to better evade detection, according to Sandfly Security founder Craig Rowland.
A separate report from security researcher Kevin Rowland revealed that the BPFdoor implant had its actions controlled by a "magic" password, with "magic" data and password in TCP and UDP packets enabling command execution.
The U.S., India, South Korea, Turkey, Hong Kong, Vietnam, and Myanmar were most targeted by the malware, the report found.
Meanwhile, PricewaterhouseCoopers researchers have attributed BPFdoor to Chinese threat actor Red Menshen, which had been leveraging the malware in attacks against Asian and Middle Eastern organizations.