Researchers from Trend Micro revealed this week that a controller linked to the BPFDoor backdoor can open a reverse shell, enabling attackers to burrow deeper into compromised networks. BPFDoor is known for its stealthy defense evasion techniques and has been used in recent cyberespionage campaigns targeting telecommunications, finance, and retail sectors. Attacks have been observed across South Korea, Hong Kong, Myanmar, Malaysia, and Egypt. During their investigation, the team uncovered a previously unseen controller, which they attribute to Red Menshen, an advanced persistent threat (APT) group tracked by Trend Micro as Earth Bluecrow.
BPFDoor is a state-sponsored backdoor designed for cyberespionage activities. The controller’s ability to open a reverse shell presents a serious threat. This capability could allow lateral movement within a compromised network, enabling attackers to control additional systems or access sensitive data.
“BPFDoor uses the packet filtering features of BPF, sometimes called classic BPF (cBPF),” the researchers detailed in their blog post. “BPFDoor malware loads a filter that is capable of inspecting network packets in the upper layers of the operating system stack, such as netfilter (the Linux firewall) or any traffic-capturing tool.”
They added that a backdoor like this can stay hidden in a network for a long time, and casual security sweeps such as port scans won’t see anything unusual. “It also has evasion techniques, such as how it can change process names and how the backdoor does not listen to any port, making it difficult for system administrators to suspect that something is wrong with the servers. This poses BPFDoor as a perfect tool for long-term espionage.”
BPFDoor has been active for at least four years, with a report by PwC mentioning multiple incidents involving it in 2021. The same report also attributed the backdoor to Red Menshen.
The researchers found that the hackers targeted Linux servers from the telecommunications, finance, and retail sectors, and used different paths to hide the malware. “Among the targeted servers, we found a malware controller used to access other affected hosts in the same network after lateral movement. In some cases, more than one server was compromised. This shows that Earth Bluecrow is actively controlling BPFDoor-infected hosts and uploading additional tools for later use. This specific controller file hasn’t been observed being used anywhere else,” they added.
“The controller reveals some interesting details on the techniques wielded by this threat actor,” the post pointed out. “Before sending one of the ‘magic packets’ checked by the BPF filter inserted by BPFDoor malware, the controller asks its user for a password that will also be checked on the BPFDoor side. Depending on the password provided and the command-line options used, the controller asks the infected machine to perform one of these actions: open a reverse shell; redirect new connections to a shell on a specific port; and confirm the backdoor is active.”
Apart from using different connection modes, the controller is versatile enough to control infected machines using the three protocols supported by BPFDoor – TCP, UDP, and ICMP.
“For each protocol, it uses the hard-coded magic sequence, but it also allows the attacker to set it manually (options –f and –x), which shows the threat actor considered the change of magic bytes a likely option and made the controller ready to work with different BPFDoor samples,” the researchers detailed. “In addition to the magic sequence, the password must match one of the passwords expected by the running BPFDoor sample in the target. The connection can be encrypted (-c), and the right password must be provided to make BPFDoor open a shell or listen to a port.”
Based on the TTPs, target industries, the fact that this specific controller was not seen anywhere else, and its similarities to the coding style and programming language as the ones used in BPFDoor, Trend Micro attributes the campaign involving the controller to Earth Bluecrow with medium confidence. Since the BPFDoor malware source code was leaked in 2022, no other campaigns could be attributed to Earth Bluecrow yet.
The post also noted that to make things easier for the threat actor, the controller can directly connect to an infected machine and get a shell on it without any reverse connections. “The right password must be provided to activate the direct mode. Once the password is checked, BPFDoor malware uses a series of iptables commands to redirect new connections from the controller’s IP address to the destination port (22/tcp in our example) to the first available port between 42391 and 43390 on the infected host, where BPFDoor will serve a shell,” it added.
The controller waits a few seconds for the changes to take effect on the infected machine, then it tries to connect to the same IP address and port (presumably redirected at this point). To avoid interruption of the legitimate service bound to the TCP port, BPFDoor malware deletes the iptables rules previously added. By the time it removes the rules, the attacker is already connected and can run any commands.
The researchers added that the direct connection mode only works with TCP. Because the controller expects a specific response, defenders might look for outbound TCP packets containing a 4-byte TCP payload containing the string ‘3458.’
In its conclusion, Trend Micro mentioned that BPFDoor uses BPF to trigger the backdoor. There are also other malicious uses of such filters. As mentioned earlier, the Symbiote malware uses a BPF filter to prevent being detected in traffic captures. “BPF opens a new window of unexplored possibilities for malware authors to exploit. As threat researchers, it is a must to be equipped for future developments by analyzing BPF code, which will help protect organizations against BPF-powered threats.”
“Also, it is important to remember that BPF not only affects Linux systems,” according to the researchers. “For example, there’s a BPFDoor sample compiled for Solaris that exploits CVE-2019-3010, and there are efforts to bring eBPF to Windows. This requires deeper research and constant vigilance to gain more insight into attacks launched in other environments.”
