A Linux backdoor named Bvp47 is said to be under the radar for over a decade and has been used against highly targeted systems in the past.
Samples of Bvp47 were first reported in 2013, and the links have been connected to the Equation group of US NSA. Being an APT, researchers noted that Bvp47 has attacked over 287 organizations in various sectors in 45 countries since its inception. They have also described its modus operandi.
Equation Group – A US APT
Advanced Persistent Threats (APTs) are highly specialized hacking groups formed and maintained by the countries’ governments, for mostly spying reasons. And one of the US APTs – Equation group – is a highly-skilled group that made a Linux backdoor called Bvp47.
Though they cover all the traces of their operations, a forensic investigation done by Pangu Lab, a Chinese cybersecurity company in 2013 revealed the technical know-how of Bvp47 and submitted it to VirusTotal, an antivirus database.
Since then, no other antivirus engine has flagged it despite the APT using it in various attacks in recent years. Pangu Lab researchers said that the Bvp47 sample is an advanced Linux backdoor, with a remote control function protected with RSA asymmetric cryptography algorithm.
So to detail more, they had to get the private key for unlocking the cryptography algorithm it’s protected with. And they got it from the dump published by the Shadow Brokers in 2016-2017, which contained not only the needed private key but also the hacking tools and zero-day exploits used by Equation Group, which is NSA’s cyberattack team.
Later on, Kaspersky’s Threat Attribution Engine (KTAE) too has identified it and flagged it. Pangu Lab researchers also said that Bvp47 is used against 287 organizations in 45 countries, with major sectors targeted in telecom, military, higher-education, economic, and science.