BPFDoor is a Linux-based backdoor malware actively distributed in various strains, detected through multiple hashes and identified by EDR and AIPS solutions. Continuous defense via advanced endpoint detection is essential to mitigate its evolving threats. (Affected: Linux systems, cybersecurity sector)
Keypoints :
- BPFDoor is a Linux backdoor malware exploited in hacking attacks.
- AhnLab and KISA have published detection details and warnings about BPFDoor.
- Several malware samples are identified by unique MD5 and SHA2 hashes.
- BPFDoor is open source, enabling multiple malware variants to be developed and distributed.
- AhnLab EDR and AIPS provide detection signatures for BPFDoor and related CnC communications.
- Detection names include Behavior, Defense Evasion, and Execution categories in EDR systems.
- File names like hpasmmld, smartadm, dbus-srv, and others are associated with the malware.
- V3 antivirus signatures correlate to specific malware variants based on detected hashes.
- Continuous monitoring and endpoint defense are necessary due to evolving malware strains.
- BPFDoor’s C2 communication is tracked by multiple AIPS detection signatures.
MITRE Techniques :
- Command and Control (T1071) – BPFDoor establishes CnC communication to receive commands and exfiltrate data.
- Defense Evasion (T1562) – The malware uses techniques to bypass endpoint detection and firewall defenses.
- Execution (T1059) – BPFDoor executes malicious code within compromised Linux environments.
- Persistence (T1543) – BPFDoor implants itself as various daemon or system service files to maintain persistence.
- Resource Hijacking (T1496) – Utilizes BPF (Berkeley Packet Filter) functionality to intercept or manipulate network packets.
Indicator of Compromise :
- The article includes multiple MD5 and SHA2 hash values for different BPFDoor malware samples, useful to detect infected files.
- File names such as hpasmmld, smartadm, and dbus-srv are identified as malware components.
- Examples of hashes include MD5: 0bcd4f14e7d8a3dc908b5c17183269a4 and SHA2: 027b1fed1b8213b86d8faebf51879ccc9b1afec7176e31354fbac695e8daf416.
- AIPS detection rules indicate recognized C2 communication patterns linked to BPFDoor activity.
- EDR detection information includes specific event names that can help identify defense evasion and execution activities by BPFDoor.
Read more: https://asec.ahnlab.com/en/87863/
Views: 31