A Decades-old Linux Backdoor has been Discovered

By

Bvp47, linked to the NSA, originally discovered in 2013 by Advanced Cyber Security Research and widely ignored, has finally been detected and tagged.

Back in 2013, during a forensic investigation, the Advanced Cyber Security Research team from Pangu Lab discovered a rather elusive piece of malware. Between 2016 and 2017, the hacker collective, The Shadow Brokers, leaked a large amount of data that was allegedly stolen from the Equation Group (with links to the NSA) that contained a number of hacking tools and exploits. Around the same time, the group leaked another data dump that contained a list of servers that had been hacked by the Equation Group. 

According to the Advanced Cyber Security Research team, Bvp47 was used to target the telecom, military, higher-education, economic, and science sectors and hit more than 287 organizations in 47 countries. These attacks lasted over a decade as the malicious code was created so the hackers could retain long-term control over an infected device. And because the attack used zero-day vulnerabilities, there was no defense against it.

The Pengu Lab operation was code-named "Operation Telescreen" and the end result of the operation discovered this back door requires a check code bound to the host in order to function normally. They also determined Bvp47 to be a top-tier APT backdoor.

As far as whether or not Bvp47 is still in use today, there is no indication that is the case. But given the nature of the exploit, it wouldn't come as a shock to any research lab to discover those leaked tools had been used to cobble together even more dangerous malware. 

Read the Pangu Lab report to find out more.

02/24/2022

Related content

comments powered by Disqus