Recently identified iterations of the BPFDoor Linux backdoor rely on a controller to open a reverse shell and control additional hosts on the network, Trend Micro reports.
Initially detailed in 2021, BPFDoor is a backdoor attributed to a Chinese state-sponsored threat actor tracked as Red Menshen and Earth Bluecrow, and which focuses on detection evasion, allowing attackers to maintain long-term access to infected networks.
Likely active for nearly a decade, the backdoor has been used over the past year in attacks against telecommunications, financial services, and retail entities in Hong Kong, Egypt, Malaysia, Myanmar, and South Korea.
Designed for cyberespionage, the malware stands out for its use of Berkeley Packet Filters (BPF) for stealth network traffic monitoring and command-and-control (C&C) communication.
BPFDoor uses a BPF filter that can inspect network traffic in the Linux firewall, which allows its operator to activate it using packets with magic sequences even if they are blocked by the firewall. Such features, Trend Micro notes, are typically found in rootkits, not backdoors.
In recent attacks, the backdoor was seen using a malware controller that allows the attackers to open a reverse shell or redirect connections to a shell on a specific port. It uses passwords supplied by the attacker to check the received command’s validity.
“Apart from using different connection modes, the controller is versatile enough to control infected machines using the three protocols supported by BPFDoor – TCP, UDP, and ICMP,” Trend Micro explains.
The cybersecurity firm also discovered that the controller can directly connect to an infected machine over TCP to open a shell, should the correct password be provided.
Trend Micro also notes that, because the backdoor’s source code was leaked online in 2022, the recently observed attacks can be attributed only with moderate confidence to Earth Bluecrow. It also urges administrators to adopt strong defense measures to detect potential BPFDoor compromises.
“A backdoor like this can stay hidden in a network for a long time, and casual security sweeps such as port scans won’t see anything unusual. It also has evasion techniques, such as how it can change process names and how the backdoor does not listen to any port, making it difficult for system administrators to suspect that something is wrong with the servers,” Trend Micro notes.
Related: Chinese APT Pounces on Misdiagnosed RCE in Ivanti VPN Appliances
Related: Chinese APT Weaver Ant Targeting Telecom Providers in Asia
Related: Chinese Hacking Group MirrorFace Targeting Europe
Related: New Windows Zero-Day Exploited by Chinese APT: Security Firm