The wide adoption of Linux across critical infrastructure, servers, and cloud environments has made it an appealing target for attackers aiming to steal data, disrupt services, or launch broader attacks. One such attack campaign by the Red Menshen APT group has come to the notice of Trend Micro researchers. The group was observed using different variants of the BPFDoor backdoor as part of attacks targeting Linux and cloud servers.
Earlier, the attackers were focused on Windows systems. However, these latest attacks indicate that they are expanding their presence on non-Windows targets.
Key findings
- Researchers highlighted that Red Menshen APT is using Linux and Solarix variants of the malware, namely Backdoor.Linux.BPFDOOR and Backdoor.Solaris.BPFDOOR.ZAJE, to launch attacks on companies in the telecommunications sector in Turkey and Hong Kong.
- The malware uses advanced Berkeley Packet Filters (BPF) that enable the attackers to load and activate the backdoor within the Linux kernel by bypassing firewalls and other network protection solutions in Linux and Solaris operating systems.
Researchers noted that this feature is common in rootkits but not easily found in backdoors.
BPFDoor evolves
A six-fold increase has been observed in the addition of instructions to BPF as those found in samples from 2022, indicating an active development and successful deployment of BPFDoor.
- Most samples from 2018 to 2022 contained 30 BPF instructions that accepted unique numbers for TCP, UDP, and ICMP protocols.
- The new variants contain 39 BPF instructions that support an additional 4-byte magic number for TCP packets.
- Besides, two other variants of the backdoor containing 205 and 229 BPF instructions are believed to be designed for targeting macOS systems. These are being actively tracked by researchers.
Linux systems a hotbed for attacks
- A malware named AVrecon was found infecting more than 70,000 Linux-based SOHO routers to launch a variety of malicious attacks, including DDoS.
- Threat actors created and distributed a fake PoC exploit of Linux kernel vulnerability on GitHub with the aim of stealing intellectual property from researchers.
- A Linux version of Akira ransomware enabled its operators to breach VMware ESXI servers and steal data to conduct double extortion on victims.
- Tsunami botnet abused unsecured Linux SSH servers to carry out DDoS and cryptomining attacks.
Conclusion
Network defenders are advised to update the BPF filter analysis as threat actors continue to evolve the BPF filters used by BPFDoor. Additionally, they can use Linux commands to investigate suspicious BPF programs in the organization’s network premises. Security teams across organizations should leverage provided IOCs to identify anomalies in their network and block them before any mishap.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/16fd_shutterstock_243776242.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/0ee4_shutterstock_2161706085.jpg)
