FlagThis

Trend Micro researchers have uncovered a novel controller linked to the BPFDoor backdoor, enabling stealthy reverse shell attacks on Linux servers across Asia and the Middle East. This previously unseen controller is attributed to the Red Menshen advanced persistent threat (APT) group, tracked by Trend Micro as Earth Bluecrow. The attacks, observed in the telecommunications, finance, and retail sectors, have been documented in South Korea, Hong Kong, Myanmar, Malaysia, and Egypt. This discovery highlights the ongoing cyberespionage activities leveraging sophisticated and evasive techniques to compromise Linux systems.

The controller's primary function is to open a reverse shell on compromised systems, which allows attackers to move laterally within the network, control additional systems, and access sensitive data. BPFDoor uses the packet filtering features of Berkeley Packet Filtering (BPF) to inspect network packets, using "magic sequences" to activate the backdoor. This method allows BPFDoor to evade traditional security measures, making it a perfect tool for long-term espionage, as casual security sweeps won’t detect anything unusual. The malware can also change process names and does not listen to any port, further masking its presence.

Trend Micro's investigation indicates that BPFDoor has been active since at least 2021, with consistent campaigns targeting Linux servers across multiple industries. The attackers are known to hide malware in non-standard paths, such as /tmp/zabbix_agent.log or /bin/vmtoolsdsrv. Defenders are advised to monitor for TCP packets starting with 0x5293, followed by IP:port and password and UDP/ICMP packets. While static indicators are unreliable due to customizable magic packets and varying passwords, proactive network monitoring and analysis of BPF code are crucial for protecting organizations against BPF-powered threats.

ImgSrc: industrialcyber

References :

• securityonline.info: BPFDoor Backdoor Used in Asia, Middle East Cyberespionage
• Virus Bulletin: Trend Micro's Fernando Mercês writes about BPFDoor, a state-sponsored backdoor designed for cyberespionage activities targeting the telecommunications, finance and retail sectors across South Korea, Hong Kong, Myanmar, Malaysia and Egypt.
• www.trendmicro.com: BPFDoor’s new hidden controller emerges! Attackers can open reverse shells or direct port for stealth access on Linux servers.
• gbhackers.com: A new wave of cyber espionage attacks has brought BPFDoor malware into the spotlight as a stealthy and dangerous tool for compromising networks.
• Cyber Security News: CybersecurityNews: Stealthy Rootkit-Like Malware Known as BPFDoor Using Reverse Shell to Dig Deeper into Compromised Networks
• gbhackers.com: GBHackers: BPFDoor Malware Uses Reverse Shell to Expand Control Over Compromised Networks
• Industrial Cyber: Trend Micro details BPFDoor controller used in stealthy reverse shell attacks on telecom, finance, and retail
• www.scworld.com: Novel BPFDoor backdoor component facilitates covert attacks
• Security Risk Advisors: 🚩 BPFDoor’s Hidden Controller Enables Stealthy Lateral Movement in Linux Server Attacks
• industrialcyber.co: Trend Micro details BPFDoor controller used in stealthy reverse shell attacks on telecom, finance, and retail
• sra.io: BPFDoor’s Hidden Controller Enables Stealthy Lateral Movement in Linux Server Attacks
• The Hacker News: New BPFDoor Controller Enables Stealthy Lateral Movement in Linux Server Attacks
• The Hacker News: New BPFDoor Controller Enables Stealthy Lateral Movement in Linux Server Attacks

Classification:

• HashTags: #BPFDoor #LinuxSecurity #Cyberespionage
• Company: Trend Micro
• Target: telecom, finance, and retail
• Product: BPFDoor
• Feature: reverse shell
• Malware: BPFDoor
• Type: Malware
• Severity: Major