New research into the inner workings of the
stealthy BPFdoor malware for Linux and Solaris reveals that the threat actor behind it leveraged an old vulnerability to achieve persistence on targeted systems.
BPFDoor is a custom backdoor that has been used largely undetected for at least five years in attacks against telecommunications, government, education, and logistics organizations.
The malware was discovered only recently and reported first by researchers from PricewaterhouseCoopers (PwC), who attributed it to a China-based threat actor they track as Red Menshen.
PwC found BPFDoor during an incident response engagement in 2021. Looking closer at the malware, the researchers noticed that it received commands from Virtual Private Servers (VPS) controlled through compromised routers in Taiwan.
Subsequent, comprehensive research from
Craig Rowland, the founder of Sandfly Security, and
Kevin Beaumont showed the highly insidious nature of the malware, which can virtually bypass most detection systems. BPFDoor can't be stopped by firewalls, it can function without opening any ports and does not need a command and control server as it can receive commands from any IP address on the web.
