A new, stealthier variant of the Linux malware known as 'BPFDoor' has been discovered, featuring encryption standards and reverse shell communications. BPFDoor is a stealthy backdoor malware that has been active since 2017 but was only discovered by security researchers around 12 months ago.
The malware gets its name from the use of the 'Berkley Packet Filter' (BPF) for receiving instructions while bypassing incoming traffic firewall restrictions. BPFDoor is designed to allow threat actors to maintain lengthy persistence on breached Linux systems and remain undetected for extended periods.
Until 2022, the malware used RC4 encryption, bind shell and iptables for communication, while commands and filenames were hardcoded. The newer variant was analyzed and revealed features such as static library encryption, reverse shell communication, and all commands are sent by the C2 server.
By incorporating the encryption within a static library, the malware developers achieve better stealth and obfuscation, as the reliance on external libraries like one featuring the RC4 cipher algorithm is removed. The main advantage of the reverse shell against the bind shell is that the former establishes a connection from the infected host to the threat actor's command and control servers, allowing communication to the attackers' servers even when a firewall protects the network.
Finally, removing hardcoded commands makes it less likely for anti-virus software to detect the malware using static analysis like signature-based detection. It also gives it more flexibility, supporting a more diverse command set in a sense. It has been reported that the latest version of BPFDoor is not flagged as malicious by any available antivirus engines on Virus Total, despite its first submission on the platform in the month of February 2023.
When BPFDoor is first executed, it creates and locks a runtime file at "/var/run/initd.lock," and then runs as a child process, and finally sets itself to ignore various OS signals that could interrupt it. Next, the malware allocates a memory buffer and creates a packet sniffing socket that it will use for monitoring incoming traffic for a "special" byte sequence ("\x44\x30\xCD\x9F\x5E\x14\x27\x66"). At this stage, BPFDoor attaches a Berkley Packet Filter to the socket to read only UDP, TCP, and SCTP traffic through ports 22 (SSH), 80 (HTTP), and 443 (HTTPS).
Any firewall restrictions present on the breached machine would not impact this sniffing activity because BPFDoor operates at such a low level that they are not applicable. When BPFDoor finds a packet containing its "special" bytes in the filtered traffic, it will treat it as a message from its operator and will parse out two fields and will again force itself. The parent process will continue and monitor the filtered traffic coming through the socket while the child will treat the previously parsed fields as a Command & Control IP-Port combination and will attempt to contact it.
After establishing a connection with the C2, the malware sets up a reverse shell and waits for a command from the server. BPFDoor remains undetected by security software, so system administrators may only rely on vigorous network traffic and logs monitoring, using state-of-the-art endpoint protection products, and monitor the file integrity on "/var/run/initd.lock." Please see the image in this link for a comparison of the malware`s operations.
Check for system updates frequently to patch critical security features.
Install and update an effective antimalware solution. Updates are constantly released concerning new kinds of malware; therefore, it is a good practice to check and download the latest releases.
Do not download and install from unknown sources nor open email attachments from unknown senders.
The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
PDF Download: New Linux BPFDoor Malware spotted in the wild.pdf
Toulas, B. (2023, May 11). Stealthier Version of Linux BPFDoor Malware Spotted in the Wild. Bleeping Computer. Retrieved from:
Wallen, J. (2022, September 9). Lancefly: The Rise of Linux Malware: 9 tips for securing the OSS. TechRepublic. Retrieved from: