Insights, news, education and announcements from PolySwarm

The Evolution of BPFDoor

Written by The Hivemind | Jul 28, 2023 6:38:39 PM

Executive Summary

BPFDoor is a stealthy surveillance tool used by the threat actor group known as Red Menshen. It has recently evolved.

Key Takeaways

  • BPFDoor is a stealthy surveillance tool used by the threat actor group known as Red Menshen. 
  • BPFDoor targets multiple Linux-based systems. 
  • BPFDoor has been in the wild for at least five years, is highly evasive, and is not detected by most endpoint protection vendors.
  • BPFDoor has evolved this year, with some of the recent variants using more instructions than previous variants.  

What is BPFDoor?

Trend Micro recently reported on the evolution of BPFDoor. BPFDoor is a stealthy surveillance tool used by the threat actor group known as Red Menshen. It targets multiple Linux-based systems, including Solaris SPARC. BPFDoor has been in the wild for at least five years, is highly evasive, and is not detected by most endpoint protection vendors.

Threat actors can use BPFDoor to backdoor a system for remote code execution with a single network packet and without opening new firewall rules or network ports. A web app existing on a particular port, such as port 443, can listen and react on the existing port, and the implant can be reached over the port. This is possible due to the use of a BPF packet filter.

BPFDoor loads classic BPF filters into a running kernel, expecting packets containing a magic number. When the correct packet arrives, BPFDoor connects to the source IP from which the matching packet was sent. BPFDoor opens a privileged reverse shell that the threat actor then uses to send commands to the victim machine’s shell via a pipe.

According to Trend Micro, BPFDoor variants from 2018 to 2022 use the same BPF program that accepts specific magic numbers for TCP, UDP, and ICMP protocols. Trend Micro divided the analysis of the different variants based on behavior. The pre-2023 sample, Variant A, leveraged a BPF program using 30 BPF instructions. The remaining samples were from 2023. Variant B used 39 instructions. Variant C used 205 instructions. Variant D used 229. Variant E was similar to a previous variant in that it used 30 instructions, but it used a different magic number.

Who is Red Menshen?

Red Menshen, also known as Red Dev 18, is a China nexus threat actor group active since at least 2021. Red Menshen’s targets include telecommunications entities in the Middle East and Asia. Other verticals the group targets include government, education, and logistics. Known TTPs include BPFDoor, Mangzamel, Mimikatz, Metasploit, and custom variants of Gh0st. Red Menshen also uses VPSs hosted at a well-known service provider and VPNs leveraging compromised routers located in Taiwan. The threat actors appear to be active on a regular schedule, operating Monday through Friday from the hours of 01:00 to 10:00 UTC.

IOCs

PolySwarm has multiple samples of BPFDoor.

 

Fa0defdabd9fd43fe2ef1ec33574ea1af1290bd3d763fdb2bed443f2bd996d73

3a1b174f0c19c28f71e1babde01982c56d38d3672ea14d47c35ae3062e49b155

Bd353a28886815f43fe71c561a027fdeff5cd83e17e2055c0e52bea344ae51d3

Fe9f3b7451913f184e1f53b52a03a981dcea5564633cfcb70d01bd0aec8f30a7

A002f27f1abb599f24e727c811efa36d2d523e586a82134e9b3e8454dde6a089

144526d30ae747982079d5d340d1ff116a7963aba2e3ed589e7ebc297ba0c1b3

Ac06771774538f33b0e95a92ae1a3e8aaf27e188b51700a03c14ca097af09cac

C796fc66b655f6107eacbe78a37f0e8a2926f01fecebd9e68a66f0e261f91276

4c5cf8f977fc7c368a8e095700a44be36c8332462c0b1e41bff03238b2bf2a2d

C80bd1c4a796b4d3944a097e96f384c85687daeedcdcf05cc885c8c9b279b09c

97a546c7d08ad34dfab74c9c8a96986c54768c592a8dae521ddcf612a84fb8cc

5b2a079690efb5f4e0944353dd883303ffd6bab4aad1f0c88b49a76ddcb28ee9

F8a5e735d6e79eb587954a371515a82a15883cf2eda9d7ddb8938b86e714ea27

5faab159397964e630c4156f8852bcc6ee46df1cdd8be2a8d3f3d8e5980f3bb3

Fd1b20ee5bd429046d3c04e9c675c41e9095bea70e0329bd32d7edd17ebaf68a

F47de978da1dbfc5e0f195745e3368d3ceef034e964817c66ba01396a1953d72

8b84336e73c6a6d154e685d3729dfa4e08e4a3f136f0b2e7c6e5970df9145e95

599ae527f10ddb4625687748b7d3734ee51673b664f2e5d0346e64f85e185683

96e906128095dead57fdc9ce8688bb889166b67c9a1b8fdb93d7cff7f3836bb9

76bf736b25d5c9aaf6a84edd4e615796fffc338a893b49c120c0b4941ce37925

07ecb1f2d9ffbd20a46cd36cd06b022db3cc8e45b1ecab62cd11f9ca7a26ab6d

3631f806f84643aead8c4995e7bf6177d889d610cd9bdb13354aea1fc7d3a2b5

3743821d55513c52a9f06d3f6603afd167105a871e410c35a3b94e34c51089e6

8a602fb9b7c407a13f6e0af4cae702018a7d6bcf36aadb2478ce17a0b668c6d2

6fbdb38a85a416557d292566db8662d70461c8c8d0c51a0f78130c5c3646e93f

A907e1e8145f46274943fb7451c62d83f5e5e683f57a69ddb7dbb520e04e04ce

7f5b419ea75b2c1fb4a7000c8d9ea2918d9a3423000506b718f8de8b4a25f157

Dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a

2e0aa3da45a0360d051359e1a038beff8551b957698f21756cfc6ed5539e4bdb

Cca78516c62e1b7cf3c56b665a3537dca6beb54d335c633454b325fd44c4f760

D97625f7ad46e24fc958b1ab1c2de9591bad0127b204f99d7110fe1c401a9df4

A9884ba3ebf25dcb1b9b3319d5e9e3706832bfa0f1fc4248f22a065f7ef15f79

7906a1f358687ca1be8d9f531f066d6a5219857d37c13310c3239f10836007a8

28bfb3f2067c77b83898ef4e41c9fc573e6aaa8581da9b59bddb782205a0b091

B759020cbef57d96a5c978af3ae41bc1d9ffb7f3d521210a20b0d8d7540a13d4

Afa8a32ec29a31f152ba20a30eb483520fe50f2dce6c9aa9135d88f7c9c511d7

 

You can use the following CLI command to search for all BPFDoor samples in our portal:

$ polyswarm link list -f BPFDoor

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports