KEY SUMMARY POINTS
- New Linux Malware Campaign: Cybersecurity researchers identified an active Linux malware campaign leveraging eBPF technology and targeting businesses and users globally.
- eBPF Exploitation: Hackers are abusing eBPF’s low-level capabilities to hide activities, gather data, and bypass security measures, making detection challenging.
- Trojan Deployment: Attackers use eBPF rootkits to conceal their presence and drop remote access Trojans capable of tunnelling traffic and maintaining communication within private networks.
- Public Platforms for Command Control: Instead of private servers, malware configurations are stored on public platforms like GitHub and blogs, disguising malicious activity as legitimate.
- Rising eBPF Malware: The use of eBPF-based malware, including families like Boopkit and BPFDoor, is increasing, with over 100 new vulnerabilities discovered in 2024 alone.
Cybersecurity researchers Dr. Web have uncovered a new and active Linux malware campaign aimed at businesses and users in Southeast Asia. The discovery came during an investigation into a malware attack reported by one of their clients.
The investigation began when a client approached Dr. Web with concerns about a possible compromise in their computer infrastructure. Upon analyzing the client’s data, Dr. Web identified multiple similar cases, indicating a large-scale and active campaign. Despite the initial uncertainty about how the attackers gained access, the researchers successfully tracked the initial stages of the attack.
Exploiting eBPF Technology
Researchers found that hackers have been abusing eBPF (extended Berkeley Packet Filter) technology in their attacks. For your information, eBPF is originally designed to provide better control over the Linux operating system’s network functions.
What’s noteworthy is the growing attention around eBPF, especially after August 2021, when tech giants like Google, Isovalent, Meta, Microsoft, and Netflix collaborated to establish the eBPF Foundation under the Linux Foundation to support the growth and adoption of eBPF technologies.
However, in the ongoing attack, eBPF’s low-level capabilities have allowed attackers to hide network activity, gather sensitive information, and bypass security measures. This has made it difficult for researchers to detect, and a lucrative opportunity for hackers particularly for advanced persistent threat (APT) groups looking to maintain long-term access to a target system.
In this specific campaign, as detailed by Dr. Web in its report published on December 10, the attackers used eBPF to load two rootkits. The first, an eBPF rootkit, hid the presence of a second rootkit, which then dropped a remote access Trojan (Trojan.Siggen28.58279 or Trojan:Win32/Siggen.GR!MTB) capable of tunnelling traffic, allowing attackers to communicate with infected devices even within private networks.
Hiding in Plain Sight: Public Platforms as Command Centers
The threat actors have also changed how they store their malware configurations. Instead of relying on private command-and-control servers, they are using popular, publicly accessible platforms.
The malware analyzed by Dr. Web was found retrieving settings from platforms like GitHub and even a Chinese cybersecurity blog. This tactic makes the malicious traffic appear legitimate, as it combines it with normal network activity. It also eliminates the need for the attackers to maintain separate control infrastructure, which can be more easily detected and shut down.
Nevertheless, since 2023, the use of malicious eBPF software has been on the rise, with several malware families emerging, including Boopkit, BPFDoor, and Symbiote. The discovery of numerous vulnerabilities in eBPF technology has further worsened the situation.
This ongoing cyberattack is yet another example of how far government-backed hackers and cybercriminals are willing to go without fear of consequences. Their tactics, including exploiting advanced technologies like eBPF and using public platforms for configuration storage, make this quite clear.
