"Stealthier Version of Linux BPFDoor Malware Spotted in the Wild"

Researchers have discovered a new, stealthier variant of the Linux malware called BPFDoor. It now has more robust encryption and reverse shell communications. BPFDoor is a backdoor malware that has been active since at least 2017 but was not discovered by security researchers until about 12 months ago. The malware derives its name from its use of the Berkley Packet Filter (BPF) to receive instructions while circumventing incoming traffic firewall restrictions. BPFDoor is designed to enable threat actors to maintain prolonged persistence on compromised Linux systems and remain undetected for extended periods of time. Prior to 2022, the malware used RC4 encryption, bind shell, and iptables for communication, and commands and filenames were hardcoded. The new variant analyzed by Deep Instinct uses static library encryption, reverse shell communication, and the command-and-control (C2) server sends all commands. The malware developers achieve improved stealth and obfuscation by including encryption within a static library, as they no longer need to rely on external libraries, such as those featuring the RC4 cipher algorithm. This article continues to discuss the new version of the Linux BPFDoor malware. 

Bleeping Computer reports "Stealthier Version of Linux BPFDoor Malware Spotted in the Wild"