BPFDoor Targeting Linux Systems

A completely new and previously unreported form of BPFdoor was recently discovered and examined by Deep Instinct’s threat lab.

The malware’s use of a Berkley Packet Filter, an unusual method of obtaining instructions and avoiding detection that gets beyond firewall limits on incoming traffic, gives it its name.

The malware is linked to Red Menshen (Red Dev 18). This Chinese threat actor has been seen targeting political, educational, and logistical institutions and telecommunications companies in Asia and the Middle East since 2021.

BPFDoor Targeting Linux Systems

To establish a persistent, long-term footing in already-breached networks and environments, BPFdoor is a Linux-specific, low-profile, passive backdoor that primarily ensures that an attacker can re-enter an infected machine for an extended time after compromise.

BPFdoor was initially known for its practical and elegant design and a strong emphasis on stealth, which is critical in ensuring undetected long-term persistence.

Differences between the old and new versions

The malware’s commands and filenames were hard-coded, and it employed RC4 encryption, bind shell, and iptables for communication until 2022.

The more recent variant examined by Deep Instinct includes reverse shell communication, static library encryption, and all commands sent by the C2 server.

In addition, by deleting hardcoded commands, malware will be less likely to be discovered by anti-virus software that uses static analysis, such as signature-based detection. It supposedly also grants it greater flexibility by enabling a more comprehensive range of command sets.

When BPFDoor is initially run, it locks a runtime file at “/var/run/initd.lock,” forks itself to operate as a child process, and then instructs itself to ignore different OS signals that would interrupt it.

OS signals the malware is set to ignore

To monitor incoming traffic for a “magic” byte sequence (“x44x30xCDx9Fx5Ex14x27x66”), the malware will allocate a memory buffer and start a packet sniffing socket.

Looking for the magic byte sequence

To read only UDP, TCP, and SCTP traffic through ports 22 (ssh), 80 (HTTP), and 443 (HTTPS), BPFDoor, at this point, connect a Berkley Packet Filter to the socket.

BPFDoor runs so low that any firewall limitations on the compromised computer won’t affect this sniffing activity.

The malware creates a reverse shell and waits for a command from the server after connecting to the C2.

Operational diagram

Researchers concluded by saying, “BPFdoor retains its reputation as an extremely stealthy and difficult-to-detect malware with this latest iteration.”

Struggling to Apply The Security Patch in Your System? – 
Try All-in-One Patch Manager Plus

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.