Threat Actors Deploy New BPFDoor Variants With Stealthier C2 Tactics

Seven new types of BPFDoor malware have been found This article explores types bpfdoor malware. . The malware is a backdoor at the kernel level that stops network traffic deep inside the operating system.

It makes a trapdoor, which is an invisible entry point that threat actors can use by sending a certain "magic packet." This method lets the malware set up sleeper cells that are almost impossible to find, especially in global telecommunications networks. Rapid7 says that security teams need to change how they look for these sneaky tactics to stay safe. The company says that instead of just looking at traditional payload signatures, you should look for strange patterns in network traffic.

This means looking for hardcoded sequence numbers, invalid protocol codes, and processes that act strangely while running with higher privileges.

Rapid7 says that it is also important to keep an eye on active BPF filters that are connected to packet sockets in order to find advanced threats that may be trying to avoid detection. It says to look for an active beacon that pretends to be normal Network Time Protocol (NTP) traffic over SSL and goes to domains that look like normal system updates. A certain type of attack goes after bare-metal HPE ProLiant servers that are often used in 5G telecom networks.

It acts like real HPE management software and takes the place of the real system agent completely. According to research by Rapid7, other new variants are very good at being aware of their surroundings. The threat actors have also added multi-protocol parallel sniffing, which makes it possible for different protocols to talk to each other without any problems.

The malware makes sure it never misses a wake-up trigger by giving each protocol its own thread. This works even on busy networks. If a defender blocks strange ICMP traffic, the attackers can easily switch to sending their triggers over TCP.