BPFDoor’s Covert Manipulator Deployed Against Targets in Asia and the Middle East
Main Points
- BPFDoor functions as a government-backed backdoor intended for conducting cyberespionage operations. In our exploration of BPFDoor assaults, we unearthed a manipulator that has not been detected in use elsewhere. This manipulator is attributed to Red Menshen, a sophisticated persistent threat (SPT) faction monitored by Trend Micro as Earth Bluecrow.
- The manipulator has the ability to trigger a reverse shell. This can facilitate lateral movement, enabling intruders to penetrate deeper into compromised networks, providing control over additional systems and access to confidential information.
- Based on our data, recent BPFDoor assaults are concentrated on the telecommunications, financial, and retail sectors, with attacks identified in South Korea, Hong Kong, Myanmar, Malaysia, and Egypt.
- BPFDoor is equipped with sophisticated defense evasion tactics. Trend Vision One™ Network Security incorporates TippingPoint Intrusion Prevention and Deep Discovery Inspector (DDI) rules available for Trend Micro clients to safeguard them against this risk.
Featuring contributions from Mohammad Mokbel, Daniel Lunghi, Feike Hacquebord, and Carl Jayson Peliña
Opening Notes
The concealed rootkit-style malware identified as BPFDoor (detected as Backdoor.Linux.BPFDOOR) is a backdoor with robust covert capabilities, primarily linked to its deployment of Berkeley Packet Filtering (BPF).
In a prior publication, we discussed the operations of BPFDoor and BPF-empowered malware. BPF is a framework for running code in the kernel virtual machine of the operating system, which has been available for over two decades and gained prominence following the release of eBPF (initially extended BPF) in 2014.
BPFDoor leverages the packet filtering functionalities of BPF, also known as classic BPF (cBPF). The BPFDoor malware loads a filter capable of studying network packets at the higher layers of the operating system stack, such as netfilter (the Linux firewall) or any traffic capture tool.
The filter implemented by BPFDoor allows activation of the malware through network packets containing specific “magic sequences” – byte sequences defined by the threat actor instructing the backdoor on the compromised system to execute a command. Another malware, like Symbiote, also exploits BPF to provide analogous functionality.
Due to how BPF operates within the designated operating system, the magic packet triggers the backdoor even when blocked by a firewall. Upon reaching the kernel’s BPF engine, it activates the resident backdoor. While these features are common in rootkits, they are not typically found in backdoors.
A backdoor of this nature can remain unnoticed within a network for an extended period, and routine security scans such as port assessments may overlook any irregularities. It is also equipped with evasion tactics, such as its ability to alter process names and the backdoor’s lack of response to any ports, making it challenging for system administrators to detect any anomalies with the servers. This positions BPFDoor as an ideal tool for prolonged espionage.
Historical Insights and Recent Objectives
BPFDoor has been operational for a minimum of four years, with a report by PwC citing multiple incidents involving it in 2021. The same report linked the backdoor to Red Menshen.
The aforementioned advanced persistent threat (APT) faction, known to Trend Micro as Earth Bluecrow, continues to actively target enterprises in the Asia, Middle East, and Africa (AMEA) region as per our records.
| Date | Nation | Sector |
| December 2024 | South Korea | Telecom |
| December 2024 | Myanmar | Telecom |
| October 2024 | Malaysia | Retail |
| September 2024 | Egypt | Finance |
| July 2024 | South Korea | Telecom |
| January 2024 | Hong Kong | Telecom |
Table 1. Distribution of nations and sectors targeted by BPFDoor in 2024
The threat actor targeted Linux servers within the aforementioned entities. Various strategies were employed to conceal the malware, including /tmp/zabbix_agent.log, /bin/vmtoolsdsrv, and /etc/sysconfig/rhn/rhnsd.conf. Efforts to determine the initial attack vector are ongoing.
Among the affected servers, a malware control module was discovered, enabling access to other compromised hosts in the same network post lateral movements. In certain instances, multiple servers were compromised.
This indicates that Earth Bluecrow actively manages BPFDoor-infected hosts and uploads additional utilities for future utilization. This particular control file has not been observed in any other context.
BPFDoor Manipulator
The manipulator uncovers intriguing details about the methodologies employed by this threat actor.
Prior to dispatching one of the “magic packets” assessed by the BPF filter inserted by the BPFDoor malware, the manipulator requests a password from the user, which will also be cross-verified on the BPFDoor end.
Depending on the provided password and command-line parameters, the manipulator instructs the infected machine to execute one of the following actions:
- Initiate a reverse shell
- Route new connections to a shell on a designated port
- Validate the active status of the backdoor
Below is a breakdown of the supported directives:
| Directive | Description |
| -b | Monitor a specified TCP port (generate a shell upon connection reception) |
| -c | Activate encryption |
| -d | Destination port on compromised host (any open port) |
| -f | Assign a different magic sequence for TCP or UDP protocols |
| -h | Designated host (machine to be controlled) |
| -i | ICMP mode |
| -l | Define the remote host the infected machine will connect to (reverse shell) |
| -m | Set the local IP address as the remote host, overwriting the -l option |
| -n | Skip password (verify backdoor status) |
| -o | Set the magic sequence to 0x7155 |
| -p | Assign the password. If omitted, the program will request one interactively |
| -s | The remote port the infected machine will connect to (reverse shell) |
| -t | Not utilized |
| -u | UDP mode |
| -w | TCP mode |
| -x | Set the magic sequence for ICMP |
The password transmitted by the manipulator must correspond to one of the pre-set values in the BPFDoor sample. In the pairing with the controller discovered, the malware appends a predefined salt to the plaintext password, computes its MD5 hash, and matches it against the coded values, as depicted in the screenshot below:
About Author
