This Linux backdoor went undetected for 10 years

Bvp47 malware was used in hundreds of attacks over the past decade

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

New details have emerged regarding a previously undetectedLinux backdoorthat is believed to have been created by the notoriousEquation Groupwhich has ties to the US National Security Agency (NSA).

According to anew reportfrom the cybersecurity firm Pangu, security researchers from its Advanced Cyber Security Research team first found themalwarebehind the backdoor back in 2013 while conducting a “forensic investigation of a host in a key domestic department”. At that time, the team decided to name the malware Bvp47 due to the fact that the most common string in the sample was “Bvp” and 0x47 was the numerical value used in itsencryptionalgorithm.

Despite the fact that Bvp47 was submitted to Virus Total’santivirusdatabase almost a decade ago, it only appeared in one antivirus engine. Things have changed with the release of Pangu’s report and it has now been flagged by six antivirus engines according toBleepingComputer.

During the almost ten years that the Bvp47 malware went undetected, it was used to hit more than 287 organizations in 45 countries with a focus on targets in the telecommunications, military, higher-education, financial and science sectors.

Ties to the Equation Group

The Bvp47 sample that was obtained from Pangu’s Advanced Cyber Security Research team back in 2013 turned out to be an advanced Linux backdoor that also contained a remote control function protected using the RSA asymmetric encryption algorithm.

As such it requires a private key to enable and this private key was found in a series of leaks published by theShadow Brokershacking group during 2016-2017. The leaks themselves also contained hacking tools and zero-day exploits used by the Equation Group which is suspected of having ties to the NSA’sTailored Access Operations unit.

Some of the components found in these leaks such as “dewdrop” and “solutionchar_agents” were integrated into the Bvp47 framework which indicates that its backdoor could be used on Unix-basedoperating systemssuch as the mainstreamLinux distrosJunOS, FreeBSD and Solaris.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Even more WordPress themes have serious security backdoors

TrickBot malware has been taken over by this notorious criminal gang

This bootkit has been used to backdoor Windows devices for almost a decade

Based on automated analysis of the backdoor by Kaspersky’s Threat Attribution Engine (KTAE), 34 out of 483 strings found in Bvp47 match those from from another Equation Group-related sample for Solaris SPARC systems. There was also a 30 percent similarity with another malware sample from the Equation Group which was submitted toVirus Totalback in 2018.

Director of global research and the analysis team at Kapsersky, Costin Raiu toldBleepingComputerthat Bvp47’s code-level similarities also match one other sample in its malware collection. This is a good indication that use of this malware wasn’t widespread as is often the case with hacking tools created by high-level threat actors that only deploy them in highly targeted attacks.

Now that Bvp47’s Linux backdoor has finally come to light, security researchers will likely conduct further analysis on it and we could see more evidence that it was used in other past attacks as well.

ViaBleepingComputer

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

VIPRE Security Group says its new endpoint protection tools can stamp out even the latest cybersecurity threats