- Short Summary: BPFDoor is a stealthy backdoor malware that utilizes the Berkeley Packet Filter (BPF) to operate without needing to connect to a command and control server. It has been used by the China-based threat actor Red Menshen in attacks targeting the Middle East and Asia since its discovery in 2021. Detection methods using AhnLab EDR are discussed, highlighting the malware’s unique behavior and command execution processes.
- Key Points:
- BPFDoor was revealed in a 2021 threat report by PWC.
- It operates by sending a magic packet to already open ports, avoiding detection.
- Utilizes BPF to register filters that check for specific magic packets.
- Copies itself to the /dev/shm path and disguises its process name.
- Supports commands for reverse shell and bind shell based on specific passwords.
- AhnLab EDR detects suspicious behaviors associated with BPFDoor.
- Identified targets include telecommunications, logistics, education, and government sectors.
- Can remain stealthy on infected systems, executing commands later via magic packets.
MITRE ATT&CK TTPs – created by AI
- Execution Techniques:
- Command and Scripting Interpreter: Unix Shell (T1059.004)
- Utilizes shell commands for execution.
- Native API (T1106)
- Uses native API calls for execution.
- Command and Scripting Interpreter: Unix Shell (T1059.004)
- Defense Evasion Techniques:
- Masquerading: Masquerade Task or Service (T1036.004)
- Disguises itself as a legitimate process.
- Impair Defenses: Disable or Modify System Firewall (T1562.004)
- Modifies firewall settings to allow communication.
- Indicator Removal on Host: File Deletion (T1070.004)
- Deletes files to remove traces of its presence.
- Indicator Removal on Host: Timestomp (T1070.006)
- Modifies timestamps to obfuscate activity.
- File and Directory Permissions Modification (T1222)
- Changes permissions to maintain access.
- Masquerading: Masquerade Task or Service (T1036.004)
- Command and Control Techniques:
- Traffic Signaling: Socket Filters (T1205.002)
- Uses socket filters for command and control communication.
- Encrypted Channel (T1573)
- Establishes encrypted communication channels.
- Traffic Signaling: Socket Filters (T1205.002)
BPFDoor is a backdoor using the Berkeley Packet Filter (BPF), first revealed through a threat report by PWC in 2021 [1]. According to the report, the China-based threat actor Red Menshen has been using BPFDoor for several years in attacks targeting the Middle East and Asia regions, with its source being released recently.
BPFDoor abuses BPF to operate by sending a magic packet to ports used by services that are already running like web servers or SSH services. This means that BPFDoor does not need to connect first to a C&C server or keep a specific port continuously open like typical backdoors, allowing it to remain stealthily on the infected system.
This post will summarize a method to detect BPFDoor installed in Linux systems using AhnLab EDR and provide brief analysis information on the malware.
1. Berkeley Packet Filter (BPF)
BPF is a technology that allows user mode programs to attach to network filters, permitting or denying incoming data through sockets. In other words, a program that is running can register packet filtering rules on network sockets in use, enabling them to read data or receive notifications.
BPFDoor also utilizes BPF and registers the following filter after installation. This filter is responsible for checking 0x5293 for the TCP protocol and 0x7255 for the UDP and ICMP protocol’s Echo Request.
Figure 1. The BPF filter registered by BPFDoor
| Protocol | Magic Packet |
|---|---|
| TCP | 0x7255 |
| UDP | 0x5293 |
| ICMP (Echo Request) | 0x5293 |
Table 1. BPF filter
Generally, a web server providing web services will have ports 80 and 443 open, and a system with SSH service enabled will have port 22 open. If BPFDoor is installed on such a system, a threat actor can send a magic packet to ports that are already open even if the malware does not open additional ports. The packet filter installed by BPFDoor examines packets received from open sockets, and if they match the magic packet, the filter sends them to BPFDoor.
2. BPFDoor
When BPFDoor is first executed, it uses the following commands to copy itself to the “/dev/shm” path under the name “kdmtmpflush” and then deletes itself. The /dev/shm path is a memory-based file system in Linux, mainly used by applications to store or process temporary data. However, as the path is operated only in the memory and is not recorded in disk, it is often exploited by attackers; BPFDoor is no exception to the case.
| /bin/rm -f /dev/shm/kdmtmpflush; /bin/cp [malware] /dev/shm/kdmtmpflush && /bin/chmod 755 /dev/shm/kdmtmpflush && /dev/shm/kdmtmpflush –init kdmtmpflush /bin/rm -f /dev/shm/kdmtmpflush |
Afterward, it selects one of the following strings to rename itself, using the prctl() function for the process.
Figure 2. Strings used to disguise the malware as a normal process
Once this process is complete, it registers the aforementioned BPF filter and waits. If the threat actor later sends a command containing a magic packet, the malware receives it from the BPF filter and branches. Depending on the password, there are options for a reverse shell, bind shell, and response. If the password in the source code is “justforfun,” it connects to the IP/port included in the magic packet to provide a reverse shell. If it is “socket,” it opens a new port and sets up a firewall to establish a connection from the threat actor. Finally, if the password does not match, it responds with “1” to the attacker, who can probably determine the infection status from this information.
Figure 3. Structure of the magic packet
Figure 4. Commands supported by BPFDoor
| Command | Password | Feature |
|---|---|---|
| 0 | pass (justforfun) | Reverse shell |
| 1 | pass2 (socket) | Bind shell |
| 2 | N/A | “1” response |
Table 2. Commands supported by BPFDoor
In the bind shell process, the malware opens a new port and sets up a firewall to redirect packets received from the threat actor’s IP address to the newly opened port. After the connection with the threat actor is established, the firewall rule that was added is removed.
| # /sbin/iptables -I INPUT -p tcp -s [threat actor IP] -j ACCEPT # /sbin/iptables -t nat -A PREROUTING -p tcp -s [threat actor IP] –dport [destination port] -j REDIRECT –to-ports [random port] # /sbin/iptables -t nat -D PREROUTING -p tcp -s [threat actor IP] –dport [destination port] -j REDIRECT –to-ports [random port] # /sbin/iptables -D INPUT -p tcp -s [threat actor IP] -j ACCEPT |
3. Detection Using AhnLab EDR
During its execution, BPFDoor is known for copying itself to the /dev/shm path. AhnLab EDR detects the behavior of a suspicious process copying itself to the /dev/shm path and granting execution permissions as a threat as shown below, helping administrators become aware of the behavior in advance.
Figure 5. Detecting the behavior of granting permissions to a file located in a suspicious path
As discussed above, when BPFDoor receives a command that matches a password, it opens a specific port and sets up a firewall to redirect packets received from the attacker. AhnLab EDR detects suspicious behaviors such as the behavior of adding or removing new rules using iptables and port redirection as key behaviors.
Figure 6. Detecting port redirection using iptables
The behaviors mentioned above are techniques that can be used by other malware strains as well. AhnLab EDR also detects suspicious behaviors of installed BPFDoor as threats, helping administrators recognize them to identify the cause and make appropriate responses.
Figure 7. Detecting BPFDoor using AhnLab EDR
4. Conclusion
BPFDoor was first revealed through a threat report by PWC in 2021 and is being used in attacks targeting various countries including those in Asia. Various affected entities such as telecommunications providers, logistics companies, education institutions, and government organizations have been identified, and the China-based attacker Red Menshen is known to have been using BPFDoor in attacks for years.
Unlike typical backdoor malware, BPFDoor exploiting BPF has the advantage of not needing to first connect to a C&C server or keep a suspicious port continuously open. In other words, BPFDoor can remain stealthily on the infected system without any suspicious signs and execute commands later by the threat actor sending a magic packet.
AhnLab EDR detects various suspicious behaviors identified during the installation and command execution processes of BPFDoor as threats and key behaviors, helping administrators recognize them in advance. Based on this, administrators can identify the cause and respond appropriately. Even after being exposed to an attack, they can also review the data from the affected system needed to investigate the infiltration incident as evidentiary data on the threat actor.
Behavior Detection
– DefenseEvasion/EDR.Event.M12190
– Behavior/DETECT.Event.M12191
– DefenseEvasion/DETECT.Firewall.M12192
– DefenseEvasion/DETECT.Firewall.M12193
– Execution/EDR.BPFDoor.M12195
| Tactic | Technique |
|---|---|
| Execution (TA0002) | Command and Scripting Interpreter: Unix Shell (T1059.004) |
| Execution (TA0002) | Native API (T1106) |
| Defense Evasion (TA0005) | Masquerading: Masquerade Task or Service (T1036.004) |
| Defense Evasion (TA0005) | Impair Defenses: Disable or Modify System Firewall (T1562.004) |
| Defense Evasion (TA0005) | Indicator Removal on Host: File Deletion (T1070.004) |
| Defense Evasion (TA0005) | Indicator Removal on Host: Timestomp (T1070.006) |
| Defense Evasion (TA0005) | File and Directory Permissions Modification (T1222) |
| Command and Control (TA0011) | Traffic Signaling: Socket Filters (T1205.002) |
| Command and Control (TA0011) | Encrypted Channel (T1573) |
MITRE ATT&CK mapping information
Source : https://asec.ahnlab.com/en/83925/