PwC Threat Intelligence recently reported on BPFDoor, a passive network implant for Linux targeting telecommunications providers. The activity was attributed to the Chinese nexus threat actor group Red Menshen.
What is BPFDoor?
BPFDoor is a stealthy surveillance tool used by the threat actor group known as Red Menshen. It targets multiple Linux-based systems, including Solaris SPARC. BPFDoor has been in the wild for at least five years, is highly evasive, and is not detected by most endpoint protection vendors.
According to security researcher Kevin Beaumont, threat actors can use BPFDoor to backdoor a system for remote code execution without opening new firewall rules or network ports. A web app existing on a particular port, such as port 443, can listen and react on the existing port, and the implant can be reached over the port. This is possible due to the use of a BPF packet filter. Threat actors leverage a tool that works over internal and internet networks, allowing them to communicate with the implants using a password. PwC noted the threat actors used virtual private servers to send commands to BPFDoor victims.
Beaumont researched the malware throughout 2021 and found it affected systems in multiple countries including the US, South Korea, Hong Kong, Turkey, India, Vietnam, and Myanmar. BPFDoor was discovered in systems across multiple verticals including government, postal and logistics, and education. Beaumont stated that BPFDoor appears to be used for surveillance purposes.
Who is Red Menshen?
Red Menshen, also known as Red Dev 18, is a Chinese nexus threat actor group active since at least 2021. Red Menshen’s targets include telecommunications entities in the Middle East and Asia. Other verticals the group targets include government, education, and logistics. Known TTPs include BPFDoor, Mangzamel, Mimikatz, Metasploit, and custom variants of Gh0st. Red Menshen also uses VPSs hosted at a well-known service provider and VPNs leveraging compromised routers located in Taiwan. The threat actors appear to be active on a regular schedule, operating Monday through Friday from the hours of 01:00 to 10:00 UTC.
PolySwarm has multiple samples of BPFDoor.
You can use the following CLI command to search for all BPFDoor samples in our portal:
$ polyswarm link list -f BPFDoor