A newly discovered passive backdoor appears to be attributed to Red Menshen, a threat actor group based out of China. In a recent case study by PwC, it’s clear that the threat actors have been leveraging BPFDoor for quite some time, and both the scope and details as to how the backdoor functions are just now coming to light.
According to an analysis by the Securonix Threat Research team, it would appear that there are several variations of the backdoor. However, all have the same goal, to allow C2 communication by a remote attacker.
Attack Chain and Scope
According to PwC, earlier targets appeared mostly in telecom, government, education, and logistics. Today, as more information comes to light, it’s possible that the target scope has spread to other sectors, and BPFDoor has been around much longer than initially speculated. In some cases, the backdoor may have been integrated into some systems for up to five years.
As with many remote access tools, BPFDoor would typically be implanted into its target during the post-exploitation phase of an attack. This would require a vulnerable server to allow the attackers initial access before implementing the tool. An example of this would be the popular Log4Shell vulnerability from late last year.
Target systems for the backdoor would be purely Linux-based. During our analysis, we found samples for both x86 and x64-based systems and the Solaris SPARC platform.
Affected systems with BPFDoor allow a remote attacker to access the system using a wide range of protocols. It supports TCP, UDP, and ICMP for data communication and relies on the BPF packet filter (hence the name) for establishing communication. This advantage is that it allows the backdoor to establish socket communication through existing open ports. For example, suppose only port 80 is allowed through the local firewall, and the server has a web app running on port 80. The backdoor can still establish and maintain its C2 protocols through that open port without affecting the original application.
This can make the backdoor very difficult to detect as it does not need to open any new ports on the target host, so it likely went undetected for as long as it did.
BPFDoor also has built-in functions which allow the attacker to set a password, thus encrypting the communication between host and target. However, this functionality was not always present in every sample we analyzed.
The backdoor will present a challenge password to the listening host if the backdoor can connect. Finally, the handshake is complete, and C2 is established if the password is correct.
When it was rerun with a Netcat listener on the target host, we get a successful connection:
Figure 1: Victim
Figure 2: Attacker
Of the dozen samples we analyzed from different sources, we noticed quite a few technical variations in each binary. As we mentioned previously, BPFDoor is intended for Linux targets and is available across multiple CPU architectures, including x86, x64, and SPARC platforms.
Each sample we analyzed was a Linux executable ELF file having a unique name. For example, one particular analyzed sample’s binary data can be seen in figure 3:
Opening one of the random samples will occasionally provide us with function names that are clearly defined. This is great because it provides high-level information about BPFDoor’s overall functionality. Some particularly interesting function names are getshell, getpasswd, icmpcmd, shell, set_proc_name, and sendcmd to name a few.
Some of the samples we analyzed were more obfuscated at a binary level than others. In some cases, strings were broken out into individual variables and hex encoded. Once decoded, some individual commands can be seen. This particular sample writes to the /var/lock directory.
After execution, the backdoor will clear the “environ” information on the Linux host. This data is typically associated with a process PID and located in /proc/[pid]/environ. Once the data is wiped, the backdoor will fill it with predefined environmental variables. This ensures the attacker will have everything they need to perform their functions.
Upon execution, the backdoor will masquerade as a legitimate-looking system process in some cases. This is because it pulls from a random set of predefined processes. This helps it blend in better when viewing or monitoring processes on the Linux host.
In a nutshell, of all the samples we analyzed, we were able to track a few consistent patterns, such as the directories that the backdoor would interact with and some system commands such as iptables. When it comes to detections, we will be leveraging some of these patterns to look for signs of compromise.
Securonix Recommendations and Mitigations
Given the stealthy nature of BPFDoor, we recommend that Securonix customers scan their environment using the detections highlighted in the next section.
- Deploy antimalware software on Linux hosts and run aggressive scans.
- Monitor and baseline outbound network port communications for unusual spikes or unusual volume trends.
- Implement outbound geo-blocking rules on the firewall, and monitor denied firewall communications to suspicious countries.
Seeder Hunting Queries
- rg_functionality = “Unix / Linux / AIX” AND filename NOT NULL AND filename CONTAINS “haldrund.pid”
- rg_functionality = “Unix / Linux / AIX” AND deviceprocessname ENDS WITH “kdumpdb”
- rg_functionality = “Unix / Linux / AIX” AND deviceprocessname ENDS WITH “kdumpflush”
- rg_functionality = “Unix / Linux / AIX” AND resourcecustomfield5 NOT NULL AND resourcecustomfield5 CONTAINS “/bin/rm” AND resourcecustomfield5 CONTAINS “/bin/chmod” AND resourcecustomfield5 CONTAINS “/dev/shm/”
- rg_functionality = “Unix / Linux / AIX” AND resourcecustomfield5 CONTAINS “/dev/shm/”
- #iptables ports 42391-43391
- rg_functionality = “Unix / Linux / AIX” AND resourcecustomfield5 NOT NULL AND resourcecustomfield5 CONTAINS “iptables -t nat” AND resourcecustomfield5 CONTAINS “REDIRECT –to-ports 42”
- rg_functionality = “Unix / Linux / AIX” AND resourcecustomfield5 NOT NULL AND resourcecustomfield5 CONTAINS “iptables -t nat” AND resourcecustomfield5 CONTAINS “REDIRECT –to-ports 43”
Securonix detection policies will be updated by May 17th
Note: If you are an Autonomous Threat Sweeper subscriber, all of the above TTPs have been swept and a summary detection report will be shared with the recipients if its not already.
For the latest threat intelligence and updates please refer to our Github page that is updated daily. We also invite you to send your questions regarding critical security advisories to the Securonix Critical Intelligence Advisory team and look forward to being of assistance.
-  https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf
-  https://www.ibm.com/docs/en/qsip/7.4?topic=queries-berkeley-packet-filters
Analyzed Samples (SHA256):