BPFDoor is backdoor malware associated with the Chinese APT – Red Menshen. It is a highly evasive malware that targets Linux and Solaris-based systems. It is said to have been unnoticed for up to 5 years before its discovery.
This malware uses a Berkeley Packet Filter (BPF) sniffer which makes it capable of sniffing all network traffic and bypassing existing firewall rules. It can be used for remote code execution without opening any new network ports.
BPFDoor does not have any form of inbuilt persistence because it does not survive a system reboot. It is therefore assumed that the attacker immediately performs post-exploitation activities after infecting an endpoint. Cronjobs and startup scripts might be used by the attacker for persistence.
- Using Security Configuration Assessment (SCA)
- Using Auditd
Automatische Detectie voor deze malware is actief op ons KMO CDC Center!
Dutch