Red Menshen, an advanced persistent threat (APT) group active in the Middle East and Asia, has expanded its targets to Linux and cloud servers. This expansion is evident in recent ransomware attacks on VMware ESXi, Mirai botnet variations, and cloud-focused stealers and crypto miners. The group’s shift towards Linux-based targets follows in the footsteps of other APT groups, such as Sandworm, which have also targeted Linux platforms.
APT groups differ from typical cybercriminals in their focus on persistent stealth and routine maintenance. Rather than targeting a broad range of systems, APT malware prioritizes long-term access and covert operations. Red Menshen, in particular, has been continuously enhancing its BPFDoor backdoor, which utilizes the Berkeley Packet Filter (BPF) technology to bypass Linux and Solaris OS firewalls.
According to cybersecurity researchers at Trend Micro, Red Menshen’s BPFDoor malware has been observed in two variants: Backdoor.Linux.BPFDOOR and Backdoor.Solaris.BPFDOOR.ZAJE. These variants come with added monitoring and detection patterns, indicating the group’s commitment to improving and deploying the BPFDoor backdoor.
The unique aspect of BPFDoor lies in its ability to load packet filters at the kernel level, using BPF or LSF (Linux Socket Filter) technology. By employing BPF filters, BPFDoor can activate the backdoor with a single network packet, effectively bypassing firewalls. This rootkit-like capability sets BPFDoor apart from typical backdoors.
The BPFDoor variants utilize classic BPF filters, with Linux samples using SO_ATTACH_FILTER and Solaris samples using libpcap functions for runtime filter loading. When a packet with a specific “magic number” arrives, BPFDoor establishes a distinct identifier-based communication back to the source IP. This allows the attacker to establish a privileged reverse shell and remotely execute commands on the infected machine.
The BPFDoor samples analyzed by Trend Micro feature a uniform BPF program with 30 instructions. These instructions define the complexity of the filter and determine the triggers that activate the backdoor. The magic numbers that trigger BPFDoor activation include 0x7255 for UDP packets, 0x5293 for TCP packets, and ICMP ECHO (ping) packets containing the same magic number.
Recent samples of BPFDoor have introduced a 4-byte magic number for TCP packets, resulting in a new BPF program with 39 instructions. In 2023, three samples were found to utilize an enhanced BPF program with 229 instructions, specifically validating ICMP packets as ICMP ECHO requests.
Red Menshen’s targets with BPFDoor include countries in the Middle East and Asia, as well as industries such as telecommunication services, financial services, and other services. By incorporating BPF bytecode into their malware, APT groups like Red Menshen pose a new challenge for security experts. It is crucial for network defenders and malware analysts to stay updated on BPF filter analysis and adapt their defense strategies accordingly.
In conclusion, the expansion of Red Menshen’s targets to Linux and cloud servers highlights the evolving nature of APT groups and their ability to adapt to changing environments. The continuous enhancement of the BPFDoor backdoor demonstrates the group’s commitment to persistent stealth and the importance of proactive defense measures.