The article discusses BPFDoor malware, a Linux-based backdoor utilized by the Red Menshen APT group targeting sectors such as telecommunications and finance in Asia and the Middle East. It highlights the malware’s sneaky techniques for infiltration using reverse shells and file hiding. Affected: Linux, Asia, Middle East
Keypoints :
- BPFDoor is a Linux-based backdoor associated with the Red Menshen APT group.
- The malware exploits BPF (Berkeley Packet Filter) functionalities for cyber espionage.
- Recent attacks have targeted telecommunications and financial sectors in South Korea, Hong Kong, Myanmar, Malaysia, and Egypt.
- BPFDoor has been observed to hide malicious files in various system paths.
- Multiple variants of BPFDoor have been reported since its source code was made public in 2022.
- Indicators of Compromise (IoCs) related to BPFDoor have been shared by KISA.
- Effective detection requires the use of Endpoint Detection and Response (EDR) solutions.
MITRE Techniques :
- T1071.001 – Application Layer Protocol: BPFDoor uses application layer protocols to communicate with its command and control servers.
- T1046 – Network Service Scanning: The malware scans for open ports and services on the infected system.
- T1059.003 – Command and Scripting Interpreter: The malware executes commands through a shell.
- T1070.001 – File and Directory Permissions Modification: BPFDoor modifies file permissions to hide its presence.
- T1203 – Exploitation for Client Execution: The malware exploits vulnerabilities to execute malicious payloads.
Indicator of Compromise :
- [file hash] a47d96ffe446a431a46a3ea3d1ab4d6e
- [file hash] 227fa46cf2a4517aa1870a011c79eb54
- [file hash] f4ae0f1204e25a17b2adbbab838097bd
- [file hash] 714165b06a462c9ed3d145bc56054566
- [IP Address] 165.232.174[.]130