Regions Targeted: South Korea, Hong Kong, Myanmar, Malaysia, Egypt
Related Families: Symbiote
Key Takeaways
Old Malware, New TTPs
BPFDoor is a backdoor linked to the China nexus Red Menshen group. This Linux and Solaris-targeting malware, now equipped with a hidden controller, was recently observed in a cyberespionage campaign targeting telecommunications, financial, and retail sectors in South Korea, Hong Kong, Myanmar, Malaysia, and Egypt. By exploiting Berkeley Packet Filter (BPF) technology, BPFDoor achieves unparalleled stealth, evading traditional detection and firewall protections. Trend Micro reported on this activity.
BPFDoor’s core mechanism relies on classic BPF (cBPF) filters to analyze network packets. These filters, loaded via the `SO_ATTACH_FILTER` option in Linux or `libpcap` functions in Solaris, scan for attacker-defined “magic sequences” to initiate malicious actions. For instance, a command from an attacker’s IP can instruct a compromised host to open an encrypted reverse shell on a specified port.. This shell, protected by password authentication, enables remote control and facilitates lateral movement within networks. The malware’s ability to process packets before firewall rules renders conventional defenses ineffective, ensuring covert communication.
The controller’s design prioritizes persistence and evasion. BPFDoor employs rootkit-like techniques to conceal its traffic from tools like `tcpdump`, mirroring tactics seen in related malware like Symbiote. Solaris variants exploit a vulnerability to dynamically compile and load BPF filters at runtime, amplifying the threat’s adaptability.
Who is Red Menshen?
Red Menshen, also known as DecisiveArchitect, Red Dev 18, and Earth Bluecrow, is a sophisticated threat actor group associated with China. The group deploys advanced backdoors like BPFDoor. Red Menshen employs encrypted reverse shells with password authentication to maintain persistent access and facilitate lateral movement within compromised networks. The group’s operations focus on cyberespionage, exploiting vulnerabilities to dynamically load malicious filters.
Red Menshen’s precision targeting of critical infrastructure and economically vital regions suggests state-backed motives, though no direct evidence links them to a specific Chinese military or intelligence entity. Their campaigns prioritize high-value data extraction, with tailored attacks exploiting sector-specific weaknesses. The group’s use of encrypted connections and low-footprint malware challenges detection, requiring advanced monitoring for anomalous network behavior.
IOCs
PolySwarm has multiple samples of BPFDoor.
591198c234416c6ccbcea6967963ca2ca0f17050be7eed1602198308d9127c78
93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c
1925e3cd8a1b0bba0d297830636cdb9ebf002698c8fa71e0063581204f4e8345
39d8d80a727ffab6e08ae2b9551f7251a652f4d4edfe5df21d0e2684d042268f
e09efb3fb74728011ee52ec83b7f9764c899761432ba3e6b576b1b74605209bc
28ec71fe071a2a2126726277a34b25a77e0178005c860c5fb6308606831bbba3
fc7224ce94b5e02fd42f227e972d434f0eaf7dd3ed1540b43e986bdd6af44da0
48296c65770daca66bb644f54287772e80ad52ce8ca83cd50dceaa6902dd4e44
3fd677dccec69ce4f0ed20dded252e8ad132ac82e8eede0b8fbe1c1bec587acd
You can use the following CLI command to search for all xx samples in our portal:
$ polyswarm link list -f BPFDoor
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.