BPFDoor is a highly evasive surveillance tool using the Berkeley Packet Filter (BPF). It is allegedly attributed to Chinese threat actors. It is assumed to be deployed on thousands of Linux systems, its controller has gone almost completely unnoticed by endpoint protection vendors despite it being in use for at least five years. BPFDoor works as an implant without opening any additional TCP or UDP ports instead it listen and send data on existing in use ports, by utilizing power of the BPF.
BPFDoor Implant Signatures
Family: HEUR:Backdoor.Linux.Agent.dl
MD5: 8f05657f0bd8f4eb60fba59cc94fe189
SHA256: 93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c
BPFDoor Implant Download