Severity
High
Analysis Summary
Recent findings by researchers reveal that new iterations of the BPFDoor Linux backdoor are leveraging a controller to open reverse shells and gain control of additional hosts within compromised networks. Initially exposed in 2021, BPFDoor is linked to the Chinese state-sponsored threat group known as Red Menshen or Earth Bluecrow. The malware is primarily designed for cyberespionage and stands out for its stealth capabilities, especially its use of Berkeley Packet Filters (BPF) to bypass traditional detection methods.
BPFDoor’s stealth stems from its ability to inspect and monitor network traffic using BPF, even if firewall rules block the packets. This allows it to be activated by specific “magic” packets, a technique more commonly seen in rootkits than backdoors. The malware has likely been active for nearly a decade and has recently targeted telecommunications, financial, and retail sectors in regions such as Hong Kong, Egypt, Malaysia, Myanmar, and South Korea.
The updated version of BPFDoor incorporates a malware controller that can initiate a reverse shell or redirect connections to a shell on a designated port, provided the attacker inputs the correct password. This controller is capable of communicating with infected machines using TCP, UDP, and ICMP protocols, enhancing its versatility and reach.
Due to the leak of BPFDoor’s source code in 2022, researchers attributes recent campaigns to Earth Bluecrow with only moderate confidence. The firm warns that the backdoor’s evasive tactics—such as hiding process names and not binding to any ports—make detection extremely difficult. Casual monitoring tools like port scanners are unlikely to uncover its presence, highlighting the need for advanced security measures to identify and mitigate BPFDoor infections.
Impact
- Command Execution
- Security Bypass
- Cyber Espionage
Indicators of Compromise
MD5
7af0e479e50cf2f1c8256f7431b7e0c3
8f05657f0bd8f4eb60fba59cc94fe189
a8c54d5b028714be5fdf363957ab8de2
635354ca75e2063c604341cfa7c00372
e086fabda4078355c40543d6eafeec91
ab5880df0334f56488b37d88771445b5
SHA-256
591198c234416c6ccbcea6967963ca2ca0f17050be7eed1602198308d9127c78
93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c
1925e3cd8a1b0bba0d297830636cdb9ebf002698c8fa71e0063581204f4e8345
07a0006381758443a91daa210bf6707ab1f0232284ccc712e247dc8d350a52e4
39d8d80a727ffab6e08ae2b9551f7251a652f4d4edfe5df21d0e2684d042268f
14b1dea80394fb413fff084b0becd1904fd6077189d1ff73208d8d749529e00b
SHA1
6227cb77cb4ab1d066eebf14e825dbc0a0a7f1e9
65e4d507b1de3a1e4820e4c81808fdfd7e238e10
9bb8977cd5fc7be484286be8124154ab8a608d96
16f94f0df6003f1566b2108f55e247f60a316185
1db21dbf41de5de3686195b839e74dc56d542974
28765121730d419e8656fb8d618b2068408fe5ae
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Implement runtime detection tools like Falco to monitor for unusual use of BPF filters, which can indicate packet sniffing or backdoor activities.
- Utilize security solutions such as Qualys Multi-Vector EDR to detect and remediate BPFDoor infections effectively.
- Monitor for the creation of abnormal PID or lock files in directories like /var/run, as these can be indicators of BPFDoor's presence.
- Be vigilant for processes masquerading as legitimate system daemons, a common tactic used by BPFDoor to evade detection.
- Regularly inspect iptables rules for unauthorized modifications that could facilitate malicious traffic redirection.
- Conduct thorough network traffic analysis to identify unusual patterns or communications that may signify a backdoor.
- Stay informed about the latest threat intelligence reports and updates related to BPFDoor to enhance detection and response strategies.