New BPFDoor Malware Variants Target Telecom Networks

Severity: High (Score: 67.5)

Sources: Gbhackers, Scworld

Summary

Seven new variants of the BPFDoor malware have been identified, enhancing stealth in compromising major telecommunication networks. These variants utilize stateless command-and-control (C2) routing and employ techniques such as HTTP traffic concealment and ICMP tunneling to evade detection. The most notable variants include httpShell, which hides C2 within HTTP traffic, and icmpShell, which creates interactive shells while bypassing firewall rules. Other variants, such as the 'H' variant, utilize NTP-themed domain resolution for encrypted session establishment. Organizations are advised to monitor for unusual BPF filters and structural anomalies in network traffic to prevent potential breaches. The findings were reported by Rapid7 and highlight the growing sophistication of malware targeting critical infrastructure. Key Points: • Seven new BPFDoor variants enhance stealth in telecom network compromises. • Key variants include httpShell and icmpShell, using advanced evasion techniques. • Organizations must monitor BPF filters and network anomalies to prevent breaches.

Key Entities

• Malware (attack_type)
• BPFDoor (malware)
• T1071.001 - Web Protocols (mitre_attack)
• T1071.004 - DNS (mitre_attack)
• T1071 - Application Layer Protocol (mitre_attack)
• Linux (platform)