A recent report from Trend Micro has revealed new iterations of the BPFDoor Linux backdoor that rely on a controller to open a reverse shell and control additional hosts on the network. Initially identified in 2021, BPFDoor is a backdoor believed to be associated with a Chinese state-sponsored threat actor known as Red Menshen and Earth Bluecrow. This backdoor is designed for detection evasion and allows attackers to maintain long-term access to compromised networks.
The BPFDoor backdoor has been active for almost a decade and has been used in attacks against various sectors, including telecommunications, financial services, and retail industries in countries such as Hong Kong, Egypt, Malaysia, Myanmar, and South Korea. This malware is specifically designed for cyberespionage and is known for its use of Berkeley Packet Filters (BPF) for stealthy network traffic monitoring and command-and-control (C&C) communication.
One of the unique aspects of BPFDoor is its use of a BPF filter that can inspect network traffic in the Linux firewall, allowing the operator to activate the backdoor using packets with special sequences, even if they are blocked by the firewall. These capabilities are typically associated with rootkits rather than backdoors. In recent attacks, Trend Micro observed the backdoor using a malware controller that enables attackers to open a reverse shell or redirect connections to a shell on a specific port. The controller can validate commands using passwords supplied by the attacker and supports various connection modes and protocols, including TCP, UDP, and ICMP.
Trend Micro also found that the controller can directly connect to an infected machine over TCP to open a shell if the correct password is provided. The cybersecurity firm notes that due to the leak of the backdoor’s source code in 2022, the recent attacks can only be attributed with moderate confidence to Earth Bluecrow. Administrators are advised to implement robust security measures to detect potential compromises by BPFDoor.
According to Trend Micro, BPFDoor can remain hidden in a network for extended periods, as traditional security scans may not detect anything unusual. The malware also employs evasion techniques such as changing process names and avoiding listening to any ports, making it challenging for system administrators to identify suspicious activities on servers.
In light of these developments, it is crucial for organizations to stay vigilant and take proactive steps to protect their networks from sophisticated threats like BPFDoor. By understanding the tactics and capabilities of threat actors like Red Menshen and Earth Bluecrow, cybersecurity professionals can better safeguard their systems and data from potential attacks.