Threat Research

BPFDoor Malware Evolves – Stealthy Sniffing Backdoor ups its Game | Deep Instinct

Securonix

BPFdoor is a Linux-focused stealth backdoor designed for long-term persistence, associated with the Red Menshen (Red Dev 18) threat actor. A new 2023 variant removes many hardcoded indicators, adds static library encryption via libtomcrypt, and uses a Berkeley Packet Filter-based (BPF) sniffing mechanism to receive commands and target C2 communications while bypassing firewalls. Hashtags: #BPFdoor #RedMenshen #RedDev18 #libtomcrypt #DeepInstinct

Keypoints

  • BPFdoor is a Linux-specific, stealthy backdoor designed for long-term, persistent access after initial compromise.
  • The activity is linked to the Chinese threat actor Red Menshen (aka Red Dev 18) targeting telecoms, government, education, and logistics sectors in the Middle East and Asia since 2021.
  • A new stealthier 2023 variant removes many hardcoded indicators and replaces RC4 with a static library encryption (libtomcrypt) for encrypted reverse-shell communications.
  • the 2023 variant uses a Berkley Packet Filter (BPF) attached to a socket to sniff traffic and receive commands, enabling firewall-bypassing data reception.
  • The malware creates a runtime mutex with /var/run/initd.lock, forks, and detaches, while ignoring several OS signals to harden its persistence.
  • It identifies and uses a “magic” byte sequence in filtered traffic to trigger C2 actions and then connects to a C2 IP:Port extracted from the payload.
  • Despite 0 VirusTotal detections across multiple scans by Feb 2023, the variant remains undetected as of the article.
  • Notable IOCs include the BPFDoor ELF SHA256 hash and the /var/run/initd.lock mutex file.

MITRE Techniques

  • [T1205] Traffic Signaling – Attacker employs “magic” values to trigger response. “Magic byte sequence: x44x30xCDx9Fx5Ex14x27x66”
  • [T1205.002] Traffic Signaling: Socket Filters – Attacker attaches filter to a network socket. “attaches filter to a network socket” and specifically uses a Berkley Packet Filter
  • [T1573] Encrypted Channel – Attacker employs encrypted Command & Control communication. “pre-compiled version of libtomcrypt … set up a secure and encrypted ‘reverse-shell’ session with its Command & Control”
  • [T1106] Native API – Attacker calls upon native OS APIs in order to execute behaviors. “Usage of popen”

Indicators of Compromise

  • [SHA256] BPFDoor ELF SHA256 – afa8a32ec29a31f152ba20a30eb483520fe50f2dce6c9aa9135d88f7c9c511d7
  • [File] Mutex file – /var/run/initd.lock – BPFDoor “mutex”

Read more: https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint