BPFDoor Backdoor Gets Sneakier With New Controller for Linux Attacks

Cybersecurity researchers have just discovered a new piece of the puzzle related to the notorious BPFDoor backdoor. This discovery comes amidst ongoing cyberattacks hitting telecommunications, finance, and retail industries across South Korea, Hong Kong, Myanmar, Malaysia, and even Egypt in 2024.

So, what's new? It's a controller component that gives attackers even more control.

"The controller could open a reverse shell," explained Fernando Mercês, a researcher at Trend Micro. He detailed the findings in a technical report. "This could allow lateral movement, enabling attackers to enter deeper into compromised networks, allowing them to control more systems or gain access to sensitive data." In other words, it's a way for hackers to spread through a network after initially breaching it.

Who's Behind This?

The campaign is suspected to be the work of a threat group Trend Micro calls Earth Bluecrow, which also goes by names like DecisiveArchitect, Red Dev 18, and Red Menshen. However, there's a catch. The confidence level in this attribution isn't super high. Why? Because the BPFDoor malware source code was leaked back in 2022. This means other hacking groups could have picked it up and are now using it.

What is BPFDoor?

BPFDoor is a Linux backdoor that first surfaced in 2022. But it's believed to have been used in attacks targeting organizations in Asia and the Middle East for at least a year prior. The main goal? Long-term espionage.

What makes BPFDoor stand out is its ability to create a hidden, persistent channel. This allows attackers to control infected systems and steal sensitive data over long periods without being easily detected.

The name comes from its use of Berkeley Packet Filter (BPF), a technology that allows programs to analyze network traffic. The malware uses this to look for a specific "Magic Byte" sequence, which triggers the backdoor.

"Because of how BPF is implemented in the targeted operating system, the magic packet triggers the backdoor despite being blocked by a firewall," Mercês explained. "As the packet reaches the kernel's BPF engine, it activates the resident backdoor. While these features are common in rootkits, they are not typically found in backdoors."

The New Controller Component

Trend Micro's new analysis reveals that the targeted Linux servers are also infected with a previously unknown malware controller. This controller is used to access other compromised machines on the same network – facilitating that lateral movement we talked about earlier.

"Before sending one of the 'magic packets' checked by the BPF filter inserted by BPFDoor malware, the controller asks its user for a password that will also be checked on the BPFDoor side," Mercês explained.

Based on the password and command-line options, the controller can tell the infected machine to do one of the following:

• Open a reverse shell
• Redirect new connections to a shell on a specific port
• Confirm the backdoor is active

Important note: the password used by the controller must match one of the hard-coded values within the BPFDoor sample itself. The controller works with TCP, UDP, and ICMP protocols, and can even enable encrypted communication for added security (for the attackers, that is).

There's also a "direct mode" that allows attackers to connect directly to an infected machine and get a shell for remote access – but only if they have the right password.

What Does This Mean?

"BPF opens a new window of unexplored possibilities for malware authors to exploit," Mercês concluded. "As threat researchers, it is a must to be equipped for future developments by analyzing BPF code, which will help protect organizations against BPF-powered threats." In other words, we need to understand how these BPF-based attacks work so we can defend against them.