Linux Backdoor, BPFDoor

Industry: Education, Government, Logistics, Telecommunications | Level: Tactical| Source: SandFlySecurity

BPFDoor, an evasive Linux backdoor, to be utilized by Chinese Red Menshen threat actors. has been researched by Kevin Beaumont, PricewaterhouseCoopers (PwC), and The Sandfly Security Team. The stealth capabilities of the tool make it ideal for espionage and persistent attacks. Utilizing the Berkeley Packet Filter sniffer, BPFDoor is capable of monitoring network traffic and sending network packets. Operating at the network layer level, the malware is unhindered by firewall rules and does not require any open ports. The malware once downloaded, requires root permissions for execution and will be set up as an in-memory implant. Persistence for the malware is set up with scripts or a crontab scheduled task. Attackers are able to control the implant once the backdoor modifies firewall configurations, "Upon receiving a special packet, it will modify the local firewall to allow the attacker IP address to access resources such as a spawned shell or connect back bindshell." Additionally, attackers are able to control the implant through a "magic" password as identified by security researcher Kevin Beaumont. Targets by Red Menshen are organizations in verticals for education, government, logistics, and telecommunication. Geographically targets are in Asia and the Middle East.

Anvilogic Scenario:

• Unix File Download, Modified, Executed

Anvilogic Use Cases:

• Linux Malware - BPFDoor
• Sudoers Misconfiguration PrivEsc
• Crontab Job Scheduling (Unix)
• File Download (Unix)
• File Modified for Execution
• File Execution (Unix)