Malware, Vulnerability Management

New BPFDoor malware variant adds stealth

Operators of the BPFDoor malware have updated the Linux backdoor to leverage static library encryption and reverse shell communication in a bid to better evade detection by antivirus systems, according to BleepingComputer. Hardcoded commands have also been removed from the updated BPFDoor malware, which remains to elude detection by any VirusTotal AV engines despite having been submitted to the platform in February, a report from Deep Instinct revealed. Researchers noted that the execution of BPFDoor prompts the creation and locking of a runtime file before running as a child process that would ignore numerous OS signals. BPFDoor then proceeds to monitor incoming traffic for a "magic" byte sequence through a packet sniffing socket. "When BPFdoor finds a packet containing its 'magic' bytes in the filtered traffic, it will treat it as a message from its operator and will parse out two fields and will again fork itself. The parent process will continue and monitor the filtered traffic coming through the socket while the child will treat the previously parsed fields as a Command & Control IP-Port combination and will attempt to contact it," said Deep Instinct.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.