BPFDoor Explained

BPFDoor isn't new to the cyberattack game — in fact, it's gone undetected for years — but PwC researchers discovered the piece of malware in 2021. Subsequently, the cybersecurity community is learning more about the stealthy nature of malware, how it works, and how it can be prevented.

What's BPFDoor?

BPFDoor is a piece of malware associated with China-based threat actor Red Menshen that has hit mostly Linux operating systems. It's undetected by firewalls and goes unnoticed by most detection systems — so unnoticed that it's been a work in progress over the last five years, going through various phases of development and complexity.

How Does It Work?

BPF stands for Berkley Packet Filters, which is appropriate given that the virus exploits packet filters. BPFDoor uses BPF "sniffers" to see all network traffic and find vulnerabilities. Packet filters are programs that analyze "packets" (files, metadata, network traffic) and permit or decline them to pass based on the source and destination IP addresses, protocols, or ports. To put it simply, packet filters work as a firewall of sorts to prevent infected malware from reaching operating systems.

When BPFDoor is in action, it gets in front of firewalls to receive packets, then modifies the local firewall or scripts to allow a threat actor into an operating system. It can function without opening any ports and can receive commands from any IP address on the web. And since IP addresses are what the filters analyze to allow or decline access to packets, BPFDoor could essentially allow any packet to be sent or received. #nofilter

Why Is It Dangerous?

As stated previously, this malware is extremely dangerous because of its stealthy and hidden nature. Once BPFDoor is activated, remote code can be sent through the unfiltered and unblocked passageway. Malicious traffic blends into legitimate traffic, making it difficult for firewalls and security solutions to detect. The BPFDoor also renames itself after infecting a system as an evasion technique.

BPFDoor Explained

Systems have been compromised across the US, South Korea, Hong Kong, Turkey, India, Vietnam, and Myanmar, and targets have included telecommunications, government, education, and logistics organizations.

What Can We Do About It?

In order for BPFDoor to launch, the threat actor would need to upload the malicious binary to a server. The best lines of defense are ensuring that virus and malware signatures are up to date to catch any potential indicators and creating rules within environments to help detect the seemingly undetectable.


Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.