BPFDoor’s Hidden Controller Used Against Asia, Middle East Targets
Key Takeaways
- BPFDoor is a state-sponsored backdoor designed for cyberespionage activities. Through our investigation of BPFDoor attacks, we unearthed a controller that hasn’t been observed being used anywhere else. We attribute this controller to Red Menshen, an advanced persistent threat (APT) group that Trend Micro tracks as Earth Bluecrow.
- The controller could open a reverse shell. This could allow lateral movement, enabling attackers to enter deeper into compromised networks, allowing them to control more systems or gain access to sensitive data.
- According to our telemetry, recent BPFDoor attacks zero in on the telecommunications, finance, and retail sectors, with attacks observed in South Korea, Hong Kong, Myanmar, Malaysia, and Egypt.
- BPFDoor is equipped with stealthy defense evasion techniques. Trend Vision One™ Network Security has TippingPoint Intrusion Prevention and Deep Discovery Inspector (DDI) rules available to Trend Micro customers to protect them against this threat.
With contributions from Mohammad Mokbel, Daniel Lunghi, Feike Hacquebord, and Carl Jayson Peliña
Introduction
The stealthy rootkit-like malware known as BPFDoor (detected as Backdoor.Linux.BPFDOOR) is a backdoor with strong stealth capabilities, most of them related to its use of Berkeley Packet Filtering (BPF).
In a previous article, we covered how BPFDoor and BPF-enabled malware work. BPF is a technology for executing code in the operating system’s kernel virtual machine. It has been around for more than 20 years and received a lot of attention after 2014 when the eBPF (short for extended BPF at the time) was released.
BPFDoor uses the packet filtering features of BPF, sometimes called classic BPF (cBPF). BPFDoor malware loads a filter that is capable of inspecting network packets in the upper layers of the operating system stack, such as netfilter (the Linux firewall) or any traffic capturing tool.
The filter loaded by BPFDoor enables the malware to be activated by network packets containing “magic sequences” – a set of byte sequences defined by the threat actor that tells the backdoor on the infected machine to perform an action. Other malware, such as Symbiote, also makes use of BPF to deliver a similar functionality.
Because of how BPF is implemented in the targeted operating system, the magic packet triggers the backdoor despite being blocked by a firewall. As the packet reaches the kernel’s BPF engine, it activates the resident backdoor. While these features are common in rootkits, they are not typically found in backdoors.
A backdoor like this can stay hidden in a network for a long time, and casual security sweeps such as port scans won’t see anything unusual. It also has evasion techniques, such as how it can change process names and how the backdoor does not listen to any port, making it difficult for system administrators to suspect that something is wrong with the servers. This poses BPFDoor as a perfect tool for long-term espionage.
Background and latest targets
BPFDoor has been active for at least four years, with a report by PwC mentioning multiple incidents involving it in 2021. The same report also attributed the backdoor to Red Menshen.
The said advanced persistent threat (APT) group, which Trend Micro tracks as Earth Bluecrow, is still actively targeting companies in the Asia, Middle East, and Africa (AMEA) region according to our telemetry.
| Date | Country | Industry |
| December 2024 | South Korea | Telecommunications |
| December 2024 | Myanmar | Telecommunications |
| October 2024 | Malaysia | Retail |
| September 2024 | Egypt | Financial services |
| July 2024 | South Korea | Telecommunications |
| January 2024 | Hong Kong | Telecommunications |
Table 1. Country and industry distribution of companies targeted by BPFDoor in 2024
The threat actor targeted Linux servers from the aforementioned organizations. They used different paths to hide the malware, such as /tmp/zabbix_agent.log, /bin/vmtoolsdsrv, and /etc/sysconfig/rhn/rhnsd.conf. Investigation into which initial entry point was used is still ongoing.
Among the targeted servers, we found a malware controller used to access other affected hosts in the same network after lateral movement. In some cases, more than one server was compromised.
This shows that Earth Bluecrow is actively controlling BPFDoor-infected hosts and uploading additional tools for later use. This specific controller file hasn’t been observed being used anywhere else.
BPFDoor controller
The controller reveals some interesting details on the techniques wielded by this threat actor.
Before sending one of the “magic packets” checked by the BPF filter inserted by BPFDoor malware, the controller asks its user for a password that will also be checked on the BPFDoor side.
Depending on the password provided and the command-line options used, the controller asks the infected machine to perform one of these actions:
- Open a reverse shell
- Redirect new connections to a shell on a specific port
- Confirm the backdoor is active
Below is a list of the supported options:
| Option | Description |
| -b | Listen to a specified TCP port (spawn a shell if it receives a connection) |
| -c | Turn on encryption |
| -d | Destination port on the infected host (any open port) |
| -f | Set a different magic sequence for the protocols TCP or UDP |
| -h | Destination host (the infected machine to control) |
| -i | ICMP mode |
| -l | Set the remote host the infected machine will connect to (reverse shell) |
| -m | Set the local IP address as the remote host. It overwrites the -l option |
| -n | Do not use a password (check if the backdoor is alive) |
| -o | Set the magic sequence to 0x7155 |
| -p | Set the password. If absent, the program will interactively ask for one |
| -s | The remote port the infected machine will connect to (reverse shell) |
| -t | Unused |
| -u | UDP mode |
| -w | TCP mode |
| -x | Set the magic sequence for ICMP |
The password sent by the controller must match one of the hard-coded values in the BPFDoor sample. In the sample that was paired up with the controller we found, the malware prefixes the clear-text password with a fixed salt, calculates its MD5 hash, and compares it with the hard-coded values, as shown in the screenshot below:
Read More HERE
