New Whitepaper: Stealthy BPFDoor Variants are a Needle That Looks Like Hay

MITRE Techniques

• [T1059.004 ] Unix Shell – Hijacks a pseudo-terminal (PTY) utilizing fork() and dup2(). (‘Hijacks a pseudo-terminal (PTY) utilizing fork() and dup2().’)
• [T1036.004 ] Masquerading – Alters process arguments and process name to mimic benign daemons (e.g., cmathreshd, qmgr, hpasmlited) to avoid detection. (‘Alters process arguments to mimic benign daemons like qmgr.’)
• [T1070.003 ] Clear History – Removes or redirects shell history by setting HISTFILE=/dev/null to avoid leaving command traces. (‘Injects HISTFILE=/dev/null into environment variables.’)
• [T1027 ] Obfuscated Files or Information – Uses stack strings and other packing/obfuscation to hide passwords, paths, and static markers from simple static analysis. (‘Stack strings for passwords and paths prevent static extraction.’)
• [T1564 ] Hide Artifacts – Employs AF_PACKET sniffing and FD wiping/timestomping to hide network hooks and filesystem artifacts from local inspection. (‘Uses AF_PACKET sniffing to remain invisible to local netstat/ss.’ )
• [T1205 ] Traffic Signaling – Uses magic bytes and flags (e.g., 0xFFFFFFFF, custom magic bytes) as wake-up triggers and signaling for implant activation. (‘Employs magic bytes and flags like 0xFFFFFFFF as wake-up triggers.’)
• [T1573.001 ] Symmetric Cryptography – Encrypts PTY output with RC4 using a hardcoded ICMP key and enforces an “X:” plaintext tag for commands. (‘Enforces the X: plaintext tag and encrypts the underlying PTY output via an RC4 cipher (using the hardcoded ICMP key).’)
• [T1071.001 ] Application Layer Protocol: Web Protocols – Some variants use formatted HTTP POSTs with hardcoded URIs and large hex bodies to blend C2 in HTTP traffic (httpShell). (‘Blends in by utilizing formatted HTTP POST requests with hardcoded URIs up to 100-byte hexadecimal bodies.’)
• [T1095 ] Non-Application Layer Protocol – Uses crafted ICMP Echo Requests/Echo Replies to exfiltrate and tunnel shell sessions (icmpShell). (‘Transmits exfiltration via crafted ICMP Echo Requests.’)
• [T1090 ] Proxy – Implements ICMP relay and proxying to bounce traffic through internal segments and uses cross-protocol BPF sniffing to fall back between TCP/UDP/ICMP. (‘Uses ICMP relay to bounce traffic through internal segments.’ / ‘The BPF filter concurrently sniffs TCP, UDP, and ICMP…the attacker can seamlessly utilize an alternate protocol to trigger the shell.’)
• [T1001 ] Data Obfuscation – Encodes session metadata inside network-layer fields (e.g., PID in ICMP Identifier, hardcoded ICMP Sequence Number 1234) to hide tracking data. (‘icmpShell hides its tracking mechanisms directly inside the network layer headers…injecting it into the 16-bit ICMP Identifier field, and hardcoding the ICMP Sequence Number to 1234.’)
• [T1572 ] Protocol Tunneling – Implements ICMP tunneling to carry interactive shell traffic and to tunnel other protocol sessions. (‘ICMP tunneling’)