Security analysts uncovered a backdoor, dubbed BPFdoor, targeting Linux and Solaris systems for years and bypassing firewall defenses.

Who are the targets?

Throughout 2021, multiple intrusions were observed, which were linked to a China-based threat group tracked as Red Menshen. 
  • It used BPFdoor to target telecommunications providers in the Middle East and Asia, as well as other organizations across education, logistics, and government sectors.
  • BPFdoor activity has been observed in various countries such as the U.S., Vietnam, Hong Kong, Turkey, India, Myanmar, and South Korea. Additionally, 11 Speedtest servers were infected.

The BPFdoor backdoor

A report has been released about how the BPFdoor backdoor bypasses the local firewall to stay undetected.
  • The backdoor allows attackers to remotely connect to a Linux shell for gaining complete access to an infected device.
  • BPFdoor does not require open ports and is an ideal tool for espionage and persistent attacks.
  • It responds to commands from any IP address on the web and can’t be stopped by firewalls.

Tactics to bypass local firewall

The backdoor uses smart anti-evasion tactics to bypass a local firewall in a targeted network environment.
  • It resides in system memory, deploys anti-forensics action, and uses a BPF sniffer to work in any locally running firewalls to see packets.
  • It pretends to be a Linux system by creating a system name binary with a similar name to a common Linux system daemon. Then, it renames and runs itself as /dev/shm/kdmtmpflush, changes the date of the binary to October 30, 2008, and deletes it.
  • It makes changes to iptables rules while receiving a relevant packet to allow communication via the local firewall.

BPF sniffer

BPFdoor uses a Berkeley Packet Filter (BPF) sniffer that works at the network layer interface to see all network traffic and send packets to any destination. 
  • Due to the sniffer being positioned at the network layer interface, it is not bound to follow any firewall rules.
  • It has BPF versions for Linux and Solaris SPARC systems and could be ported to BSD.

Conclusion

The attacker behind BPFdoor has been updating it regularly, improving each release with different names for commands, processes, or files. This implies that developers behind this malware have vast resources at their disposal. Thus, organizations are recommended to have installed a reliable anti-malware solution.

Cyware Publisher

Publisher

Cyware