Trend Micro analyzes Red Menshen’s BPFDoor variants that abuse Berkeley Packet Filter (BPF) in Linux and Solaris to bypass network protections. The analysis tracks the backdoor’s evolution from early 30-instruction filters to newer, more complex variants with magic-number triggers and provides defender insights. #BPFDoor #RedMenshen #DecisiveArchitect #Backdoor.Linux.BPFDOOR #Backdoor.Solaris.BPFDOOR.ZAJE #Symbiote #TrendMicro
Keypoints
- BPFDoor uses Berkeley Packet Filter (BPF) / Linux Socket Filtering (LSF) to load filters into the kernel and activate the backdoor when a specific network packet is observed, bypassing firewall rules.
- BPFDoor has evolved across variants (A through E) with increasing BPF instruction counts (e.g., 30-instruction Variant A, 39-instruction Variant B, up to 229 instructions in later variants), signaling active development.
- Activation relies on magic numbers in packet payloads: UDP/ICMP use 0x7255, TCP uses 0x5293, and newer variants add 0x39393939 at a TCP offset, complicating detection.
- The backdoor connects back to the attacker and opens a privileged reverse shell to receive commands, requiring root privileges on the infected host.
- Trend Micro identifies targeted regions and sectors (e.g., telecommunications in Türkiye and Hong Kong) and suggests defender checks using ss to reveal BPF-loaded sockets and filters.
MITRE Techniques
- [T1205] Traffic Signaling – BPFDoor uses BPF filters to activate the backdoor with a single network packet. Quote: ‘The BPF filters used by BPFDoor allow the actors to activate the backdoor with a single network packet. Due to the way BPF is implemented in the targeted operating system, the magic packet triggers the backdoor even when the packet is blocked by a firewall.’
- [T1205-002] Traffic Signaling: Socket Filters – BPFDoor loads classic BPF filters into the running kernel; Linux uses SO_ATTACH_FILTER via setsockopt(), while Solaris uses libpcap to compile/load the filter at runtime. Quote: ‘BPFDoor samples load classic BPF filters into a running kernel. While the Linux samples load the compiled filters using the SO_ATTACH_FILTER option from setsockopt() syscall, the Solaris sample uses libpcap functions to compile and load the filter at runtime.’
Indicators of Compromise
- [Process] running processes loading BPF filters – dhclient (PID 1893) has a legitimate 11-instruction BPF program attached; hald-addon-acpi (PID 2629) has a suspicious 30-instruction BPF filter with magic numbers 29269 == 0x7255 and 21139 == 0x5293
- [Magic numbers] – UDP/ICMP data field magic 0x7255; TCP data field magic 0x5293 (variants include 0x39393939 in newer samples)
- [MAC address pattern] – possible activation path checks destination MAC address with first nibble 0x4 (0x40), targeting specific NIC patterns