Security News > 2022 > May > BPFdoor: Stealthy Linux malware bypasses firewalls for remote access
A recently discovered backdoor malware called BPFdoor has been stealthily targeting Linux and Solaris systems without being noticed for more than five years.
BPFdoor is a Linux/Unix backdoor that allows threat actors to remotely connect to a Linux shell to gain complete access to a compromised device.
BPFdoor parses only ICMP, UDP, and TCP packets, checking them for a specific data value, and also a password for the latter two types of packets.
What makes BPFDoor stand out is that it can can monitor any port for the magic packet, even if those ports are used by other legitimate services, such as webservers, FTP, or SSH. If the TCP and UDP packets have the right "Magic" data and a correct password, the backdoor springs into action executing a supported command, such as setting up a bind or reverse shell.
Tristan Pourcelot says that while BPFdoor does not use novel or complicated techniques it still managed to stay stealthy for an extended period.
The researchers BleepingComputer talked to about BPFdoor did not attribute the malware to any threat actor.
News URL
Related news
- Critical Linux CUPS Printing System Flaws Could Allow Remote Command Execution (source)
- New Perfctl Malware Targets Linux Servers for Cryptocurrency Mining and Proxyjacking (source)
- Linux malware “perfctl” behind years-long cryptomining campaign (source)
- Linux systems targeted with stealthy “Perfctl” cryptomining malware (source)
- New FASTCash malware Linux variant helps steal money from ATMs (source)
- New Linux Variant of FASTCash Malware Targets Payment Switches in ATM Heists (source)
- Gophish Framework Used in Phishing Campaigns to Deploy Remote Access Trojans (source)
- Perfctl malware strikes again as crypto-crooks target Docker Remote API servers (source)
- Custom "Pygmy Goat" malware used in Sophos Firewall hack on govt network (source)
- New CRON#TRAP Malware Infects Windows by Hiding in Linux VM to Evade Antivirus (source)