BPFDoor is a Linux/Unix backdoor that uses Berkeley Packet Filters (BPF) to filter data through sockets and support multiple C2 protocols (TCP, UDP, ICMP), enabling stealthy remote access. The BPFDoor campaign is attributed to the Chinese threat actor Red Menshen (aka DecisiveArchitect), active since 2018 with operations across the US, South Korea, Hong Kong, Turkey, India, Vietnam, and Myanmar, including use of VPS-based C2 and compromised Taiwan routers as VPN tunnels. Hashtags: #BPFDoor #RedMenshen #DecisiveArchitect #JustForFun #BerkeleyPacketFilters
Keypoints
- The BPFDoor malware is a Linux/Unix backdoor that provides a remote shell and communicates with its C2 using TCP, UDP, and ICMP, leveraging Berkeley Packet Filters (BPF) to manage traffic.
- Red Menshen (DecisiveArchitect) is the threat actor behind BPFDoor, active since 2018, with victims across the US, South Korea, Hong Kong, Turkey, India, Vietnam, and Myanmar in telecom, government, education, and logistics sectors.
- The campaign employs masquerading by renaming its process via prctl, using random legitimate-looking names to evade detection.
- Timestomping is used to alter file timestamps before deletion, including setting a fixed historic timestamp.
- The malware creates a PID file to indicate running state and drops its binary in /dev/shm, enabling persistence and stealthy execution.
- Qualys demonstrates detection and protection using Custom Assessment/Remediation (with multiple scripting languages) and Qualys Multi-Vector EDR with YARA, including a shell-based detection workflow that inspects for packet-sniffing behavior and raw-socket usage via lsof.
MITRE Techniques
- [T1036.005] Masquerading – Brief description of how it was used. Quote: ‘The attacker masquerades its name by renaming the malware process’ and ‘Code uses prctl to rename the malware process.’
- [T1070.004] Indicator Removal on Host: File Deletion – Brief description of how it was used. Quote: ‘Deletion of /dev/shm/kdmtmpflush directory.’
- [T1070.006] Indicator Removal on Host: Time Stomp – Brief description of how it was used. Quote: ‘timestomp the binary before deletion… set_time… alter the access and modification timestamp … Thursday, October 30, 2008 7:17:16 PM (GMT).’
- [T1059.004] Command and Scripting Interpreter: Unix Shell – Brief description of how it was used. Quote: ‘The threat actor interacts with the implant through the bash process to establish an interactive shell.’
- [T1106] Native API – Brief description of how it was used. Quote: ‘Code uses prctl to rename the malware process’ (prctl invocation is a native API/system call).
- [T1548.001] Abuse Elevation Control Mechanism: Setuid and Setgid – Brief description of how it was used. Quote: ‘T1548.001- Abuse Elevation Control Mechanism: Setuid and Setgid.’
- [T1095] Non-Application Layer Protocol – Brief description of how it was used. Quote: ‘multiple protocols for communicating with a command & control server (C2) including TCP, UDP, and ICMP.’
Indicators of Compromise
- [Hash (SHA-256)] BPFDoor sample hashes – 07ecb1f2d9ffbd20a46cd36cd06b022db3cc8e45b1ecab62cd11f9ca7a26ab6d, 1925e3cd8a1b0bba0d297830636cdb9ebf002698c8fa71e0063581204f4e8345, and 2 more hashes
- [Filename] Common BPFDoor artifacts – /dev/shm/kdmtmpflush, /dev/shm/kdumpflush, and other related items (if applicable)
- [Process name] Masqueraded processes – /sbin/udevd -d, /sbin/mingetty /dev/tty7, and other names (if applicable)