A Linux-specific passive backdoor called BPFDoor is upping its game. BPFDoor, named because it uses a Berkley Packet Filter to receive instructions while bypassing firewall restrictions on incoming traffic, aims to maintain a persistent presence on breached Linux systems and remain undetected for extended periods. The new variant of the low-profile malware is even harder to detect, according to Deep Instinct researchers.

BPFDoor is associated with a Chinese threat actor, Red Menshen (AKA Red Dev 18), which has been observed since 2021 targeting telecommunications providers across the Middle East and Asia, as well as entities in the government, education and logistics sectors.

Impact

The newer variant has a static library encryption, uses reverse shell communication and sends all commands by the C2 server. The reverse shell establishes a connection from the infected host to the C2 servers, allowing communication even when a firewall protects the network. BPFDoor appears to execute on Linux machines that have been previously compromised. BPFDoor remains undetected by security software.

DXC perspective

A secure infrastructure and robust cyber defense program can help guard against ransomware attacks of all kinds. In this case, we recommend monitoring networks and endpoints for C2 traffic, relying on network traffic and log monitoring to check specific file integrity.

Threat hunting tips

BPFDoor attaches a Berkley Packet Filter to the socket to read-only UDP, TCP and SCTP traffic through ports 22 (ssh), 80 (HTTP) and 443 (HTTPS). When executed, BPFDoor attempts to create and get a lock on a runtime file at “/var/run/initd.lock” and will exit if it fails, using that file as a makeshift mutex. System admins and security staff are advised to rely on network traffic and log monitoring to check file integrity on "/var/run/initd.lock." 

IOCs

  • afa8a32ec29a31f152ba20a30eb483520fe50f2dce6c9aa9135d88f7c9c511d7 — BPFDoor ELF SHA256
  • /var/run/initd.lock — BPFDoor "mutex”