BPFDoor is a state-sponsored backdoor attributed to the Earth Bluecrow APT group, facilitating advanced cyberespionage through reverse shells and stealthy evasion techniques. Recent attacks focus on telecommunications, finance, and retail sectors across multiple countries. Affected: South Korea, Hong Kong, Myanmar, Malaysia, Egypt
Keypoints :
- BPFDoor is linked to Earth Bluecrow, a well-known APT group.
- The malware allows for reverse shell connections to infected machines.
- Recent attacks have primarily targeted telecommunications, finance, and retail sectors.
- Countries affected include South Korea, Hong Kong, Myanmar, Malaysia, and Egypt.
- BPFDoor employs stealth techniques to evade detection by traditional security measures.
- Utilizes Berkeley Packet Filtering (BPF) for executing stealthy commands.
MITRE Techniques :
- T1071.001 – Application Layer Protocol: BPFDoor uses TCP, UDP, and ICMP for command and control communication.
- T1070 – Indicator Removal on Host: BPFDoor can change process names and does not listen to any open ports.
- T1021.002 – Remote Services: The malware opens a reverse shell that allows for lateral movement within networks.
- T1210 – Exploitation of Remote Services: The controller can activate the backdoor using predetermined magic packets.
Indicator of Compromise :
- [Domain] example.com
- [IP Address] 192.168.32.133
- [IP Address] 192.168.32.156
- [Hash] 8c6962990fd9270d76898c45a6ca6932
- [Email Address] attacker@example.com
Full Story: https://www.trendmicro.com/en_us/research/25/d/bpfdoor-hidden-controller.html
Views: 35