BPFDoor is a stealthy Linux backdoor that uses Berkeley Packet Filter (BPF) to operate without establishing a traditional C2 connection. It has been attributed to the China-based threat actor Red Menshen, with AhnLab EDR discussing detection and behavior in Middle East and Asia targeting campaigns.— #BPFDoor #RedMenshen #AhnLabEDR #BerkeleyPacketFilter
Keypoints
- BPFDoor leverages BPF to monitor already-open ports and execute via magic packets, avoiding the need to open or connect to a C2 server.
- It was revealed in a 2021 PwC threat report and is associated with Red Menshen targeting the Middle East and Asia.
- The malware copies itself to /dev/shm and disguises its process name to evade detection.
- Commands for reverse shell or bind shell are password-guarded, with specific passwords triggering different behaviors.
- Bind shell mode uses iptables to redirect attacker packets to a new port and then removes the rule after connection.
- AhnLab EDR can detect suspicious BPFDoor behaviors (copy to /dev/shm, permission changes, iptables activity, port redirection) and provides defensive guidance.
- Target sectors include telecommunications, logistics, education, and government organizations.
- BPFDoor enables stealthy command execution later via magic packets, rather than maintaining a constant C2 channel.
MITRE Techniques
- [T1059.004] Command and Scripting Interpreter: Unix Shell – Utilizes shell commands for execution. ‘Utilizes shell commands for execution.’
- [T1106] Native API – Uses native API calls for execution. ‘Uses native API calls for execution.’
- [T1036.004] Masquerading: Masquerade Task or Service – Disguises itself as a legitimate process. ‘Disguises itself as a legitimate process.’
- [T1562.004] Impair Defenses: Disable or Modify System Firewall – Modifies firewall settings to allow communication. ‘Modifies firewall settings to allow communication.’
- [T1070.004] Indicator Removal on Host: File Deletion – Deletes files to remove traces of its presence. ‘Deletes files to remove traces of its presence.’
- [T1070.006] Indicator Removal on Host: Timestomp – Modifies timestamps to obfuscate activity. ‘Modifies timestamps to obfuscate activity.’
- [T1222] File and Directory Permissions Modification – Changes permissions to maintain access. ‘Changes permissions to maintain access.’
- [T1205.002] Traffic Signaling: Socket Filters – Uses socket filters for command and control communication. ‘Uses socket filters for command and control communication.’
- [T1573] Encrypted Channel – Establishes encrypted communication channels. ‘Establishes encrypted communication channels.’
Indicators of Compromise
- [File] BPFDoor-related files in memory-based storage – /dev/shm/kdmtmpflush.
- [Process] Disguised process name used by the malware – kdmtmpflush.
- [Network] BPF filter signatures observed – 0x7255 (TCP), 0x5293 (UDP/ICMP).
- [Network] iptables-based port redirection and firewall rules – examples include rules shown in the article (e.g., redirect and accept rules).
Read more: https://asec.ahnlab.com/en/83925/