If you use Linux - watch out for this stealthy new malware

A known Linux malware has gotten a major upgrade

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Experts have recently discovered an upgraded version of the BPFDoormalwareforLinux, that’s seemingly harder to spot - and aAs a result, no antivirus programs are still flagging the executable as malicious.

Cybersecurity researchers from Deep Instinct noted that BPFDoor, which was first discovered in 2022, has been active since at least 2017. The tool got its name from the (ab)use of the Berkley Packet Filter (BPF), which it uses to get instructions and bypass any firewalls.

Its design allows the threat actors to remain undetected on a compromised Linux system for longer periods of time, it was said. BPFDoor’s key feature is allowing threat actors to see all network traffic and find vulnerabilities, as well as sending out remote code through (now) unfiltered and unblocked channels.

An eye on network traffic

Furthermore, BPFDoor is capable of blending malicious traffic with the legitimate one, making detection and remediation even more difficult.

But given that no antivirus still flag BPFDoor as malicious, system administrators’ only way of detecting it is to “vigorously” monitor network traffic and logs, BleepingComputer adds. They should use state-of-the-art endpoint protection solutions, and monitor the file integrity on “/var/run/initd.lock.” as that’s where BPFDoor creates and locks a runtime before forking itself to run as a child process.

You’re a ransomware victim: Here’s 5 things you should do>The 10 worst ransomware attacks ever>Check out the best endpoint protection tools right now

TheHackerNews also claims that BPFDoor is usually used by Red Menshen, a threat actor associated with China. The group, active since 2021, has been mostly targeting Linuxoperating systemsbelonging to telecommunications providers in the Middle East and Asia, as well as government organizations, education firms, and logistics companies, it says on Malpedia.

After gaining initial access, the group would use various custom tools, such as Mangzamel, Gh0st, Mimikatz, and Metasplit.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Most of the group’s activity takes place during workdays and during working hours (9-5, Monday to Friday).

Via:BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

The M4 Mac mini has removable, modular storage – and an important SSD upgrade