HQ/EMEAFind out how we can help your business
The BPFDoor backdoor developers have created a new variant with upgraded stealth capabilities. The upgraded backdoor version displays more robust encryption and updated reverse shell communications. The Chinese threat group Red Menshen has been the alleged backdoor affiliate, initially using the BPFDoor to establish persistence in an infected network.
Based on reports, the backdoor generates and locks a runtime archive when activated on a compromised system and spreads child processes. This technique allows the campaign to disable the input and output signals of the system. Moreover, it could allocate buffer memory, prepare a packet-sniffling socket, and monitor incoming traffic for a specific byte sequence.
Researchers also explained that the malware could bypass app-level firewall restrictions since it operates at a low level. It could also fork into parent and child processes, with the child establishing a connection to the command-and-control and awaiting further instructions upon receiving the message.
The BPFDoor backdoor achieved enhanced obfuscation abilities through the static library.
Experts claimed that the BPFDoor backdoor developers acquired an enhanced stealth ability by integrating encryption in a static library. This technique removes the need for external libraries like the RC4 cypher algorithm; hence the backdoor could efficiently bypass detections.
Furthermore, the malware operators could use reverse shell communication to acquire an advantage over the bind shell. The compromised host connects to the attacker-controlled C2 servers with a reverse shell. This method allows the attacker to communicate with its backdoor despite the presence of firewalls.
The actors also removed the hardcoded commands in their backdoors to not attract AV software solutions that use static analysis. This modification allows the malware to support a broader range of additional controls.
The BPFDoor backdoor poses a significant threat to security software solutions since it is undetectable. Hence, admins should prioritise rigorous network traffic and log monitoring to mitigate the risks from this upgraded malware. Lastly, organisations should adopt intelligent and powerful endpoint protection solutions that provide a layer of defence mechanisms.
Everyone should also regularly monitor the file integrity of specific files targeted by the backdoor to help identify unauthorised changes and potential indications of malware infections.
