Advanced Version of ‘BPFDoor’ Backdoor Targets Linux Systems

-


Upgraded Versions of BPFDoor Linux Backdoor Employ Controller for Reverse Shell Access and Network Control

Trend Micro has reported that newly identified variants of the BPFDoor Linux backdoor utilize a controller module to establish a reverse shell and manage additional compromised hosts within a network.

Originally disclosed in 2021, BPFDoor is attributed to a Chinese state-sponsored threat group tracked as Red Menshen and Earth Bluecrow. The malware is designed with a strong focus on evading detection, enabling attackers to maintain persistent access to targeted environments.

Believed to have been active for nearly a decade, BPFDoor has recently been involved in cyberattacks targeting entities in telecommunications, financial services, and retail sectors across Hong Kong, Egypt, Malaysia, Myanmar, and South Korea.

Engineered for cyberespionage, BPFDoor is particularly notable for its use of Berkeley Packet Filters (BPF) to stealthily monitor network traffic and facilitate command-and-control (C&C) communications.

By applying a BPF filter at the Linux firewall level, the malware can inspect packets and activate its functions when it detects specific “magic” sequences — even if the firewall would normally block such traffic. Trend Micro highlights that such techniques are more common in rootkits than in traditional backdoors.

In its latest observed operations, BPFDoor uses a controller that enables attackers to open reverse shells or redirect traffic to a shell listening on a specified port. It authenticates commands based on attacker-provided passwords to validate execution.

“Beyond using multiple connection modes, the controller is flexible enough to manage compromised machines through all three protocols supported by BPFDoor — TCP, UDP, and ICMP,” Trend Micro notes.

Additionally, researchers observed that the controller can initiate a direct TCP connection to an infected system and open an interactive shell session if the correct password is provided.



Trend Micro further emphasizes that attribution of the recent BPFDoor-related activity remains uncertain. While historical evidence links the malware to the Chinese state-sponsored threat actor Earth Bluecrow, the moderate confidence in this connection stems from the fact that the BPFDoor source code was leaked publicly in 2022. As a result, it is now potentially accessible to a wider range of threat actors, including independent cybercriminals and other nation-state groups, making definitive attribution more challenging.

The cybersecurity firm urges network defenders and system administrators to implement robust security strategies to proactively detect and mitigate potential compromises involving BPFDoor. Given the malware’s highly evasive nature, relying solely on routine security checks or surface-level network scans may not be sufficient.

“A backdoor like BPFDoor is particularly dangerous due to its ability to remain concealed within a network environment for extended periods,” Trend Micro explains. “Traditional detection methods — such as simple port scanning — are unlikely to uncover its presence, since the backdoor does not actively listen on any ports, a common giveaway in typical malware infections.”

Additionally, BPFDoor incorporates advanced stealth techniques, including dynamic process name alteration. This means that once deployed, the malware can disguise its process identity to appear benign or blend in with legitimate system processes, further complicating detection by administrators.

Trend Micro warns that these capabilities enable the malware to maintain a low profile while providing persistent remote access, which may allow attackers to conduct long-term espionage or lateral movement across an organization’s infrastructure undetected.



Comments

Post a Comment

Popular posts from this blog

CISA and ENISA enhance their Cooperation

-
Image
  The European Union Agency for Cybersecurity (ENISA) has signed a Working Arrangement with the Cybersecurity and Infrastructure Security Agency (CISA) of the US, in the areas of capacity-building, best practices exchange and boosting situational awareness. Geopolitics have shaped the cyber threat landscape, bringing like-minded partners closer together in the wake of common cyber challenges and advances in digital technologies. Today at the EU-US Cyber Dialogue, ENISA and CISA announced the signing of their Working Arrangement as an important milestone in the overall cooperation between the United States and the European Union in the field of cybersecurity, also following the Joint Statement of European Commissioner Thierry Breton and U.S. Secretary for Homeland Security Alejandro Mayorkas of January 2023. ENISA’s International Strategy directs the Agency to be selective in engaging with international partners and to limit its overall approach in international cooperation to those...
Read more

Splunk: Cybersecurity Dynamics Rapidly Changing

-
Image
  A survey of 1,520 cybersecurity and IT leaders published today found more than half (52%) reporting their organization suffered a data breach in the past two years, with 62% experiencing monthly unplanned downtime attributable to a cybersecurity incident. The survey, conducted by Enterprise Strategy Group (ESG) on behalf of Splunk , also found that, on average, it takes 2.4 months to discover bad actors on corporate networks. Over a third (39%) of the respondents said cybersecurity incidents have directly harmed their competitive position, with 31% also noting those incidents have reduced shareholder value. As a result, cybersecurity budgets are increasing, with 95% of respondents reporting their security budgets will increase over the next two years, with 56% describing those increases as significant. The survey also found 81% of respondents are working for organizations that are converging aspects of their security and IT operations. Respondents believe this conver...
Read more

vSphere DR and Migration Improvements

-
Image
  Since introducing the support for dedicated vSphere clouds as a replication destination, we have extended the list of available features with every new release. This one is no exception and brings several significant improvements: Recovery Plans to define the failover order of the replicated VMs the same way it is done for VMware Cloud Director clouds Bandwidth throttling to enforce traffic limits on a specific network interface of the Tunnel appliance Public API, which was missing before.  In VMware Cloud Director Availability 4.3.1, we enabled migrating templates from one catalog to another in the same or a remote VMware Cloud Director cloud. In 4.6, we enhanced that feature to check for template changes and perform an automated migration if a modification is detected. It can result in overwriting the existing template at the destination catalog or creating a newer version. Along with all mentioned, we have also improved product management and operability.  For clouds...
Read more