BPFDoor malware uses Solaris vulnerability to get root privileges

LASER_oneXM

Level 37
Thread author
Verified
Top poster
Well-known
Feb 4, 2016
2,520
New research into the inner workings of the stealthy BPFdoor malware for Linux and Solaris reveals that the threat actor behind it leveraged an old vulnerability to achieve persistence on targeted systems.
BPFDoor is a custom backdoor that has been used largely undetected for at least five years in attacks against telecommunications, government, education, and logistics organizations.

The malware was discovered only recently and reported first by researchers from PricewaterhouseCoopers (PwC), who attributed it to a China-based threat actor they track as Red Menshen.
PwC found BPFDoor during an incident response engagement in 2021. Looking closer at the malware, the researchers noticed that it received commands from Virtual Private Servers (VPS) controlled through compromised routers in Taiwan.

Subsequent, comprehensive research from Craig Rowland, the founder of Sandfly Security, and Kevin Beaumont showed the highly insidious nature of the malware, which can virtually bypass most detection systems. BPFDoor can't be stopped by firewalls, it can function without opening any ports and does not need a command and control server as it can receive commands from any IP address on the web.
 
  • Like
Reactions: upnorth

upnorth

Moderator
Verified
Staff member
Malware Hunter
Well-known
Jul 27, 2015
4,984
two Windows scripts
Animated GIF