ARN

Stealthy Linux implant BPFdoor has compromised businesses for years, notably in Vietnam

China-linked backdoor takes advantage of the Berkeley Packet Filter on Unix systems to hide its presence.

Malware researchers warn about a stealthy backdoor program that has been used by a Chinese threat actor to compromise Linux servers at government and private organisations around the world, including Vietnam and Myanmar.

While the backdoor is not new and variants have been in use for the past five years, it has managed to fly under the radar and have very low detection rates. One reason for its success is that it leverages a feature called the Berkeley Packet Filter (BPF) on Unix-based systems to hide malicious traffic.

BPFdoor was named by researchers from PwC Threat Intelligence who attribute it to a Chinese group they call Red Menshen. The PwC team found the threat while investigating several intrusions throughout Asia last year and included a short section about it in their annual threat report released late last month.

This short mention didn't get a lot of attention until independent security researcher Kevin Beaumont shared the link to a malware sample with low detection rate on VirusTotal a few days ago. 

This prompted confirmation by the PwC team that what Beaumont found was a controller for the passive BPFdoor backdoor. This then prompted a more detailed write-up by Beaumont who was also independently tracking the malware since last year.

"I swept the internet for BPFDoor throughout 2021 and discovered it is installed at organisations across the globe -- in particular the U.S., South Korea, Hong Kong, Turkey, India, Vietnam and Myanmar, and is highly evasive," Beaumont said in a blog post. "These organisations include government systems, postal and logistic systems, education systems and more."

How BPFdoor abuses BPF

While the PwC researchers plan to share more details about the backdoor at a conference in June, other researchers, including Beaumont, have already located more samples on VirusTotal potentially uploaded by victims or other parties over the years. 

In addition to the samples, the source code of an older variant of the backdoor was posted online and was analysed by Linux intrusion detection and incident response firm Sandfly Security.

"The BPFDoor source is small, focused and well written," the Sandfly researchers said. "While the sample we reviewed was Linux specific, with some small changes it could easily be ported to other platforms (a Solaris binary reportedly exists). BPF is widely available across operating systems and the core shell functions would likely work across platforms with little modification."

To be deployed on a system effectively, the malware needs to be executed with root privileges. This suggests that the attackers are compromising the infected servers using other techniques, potentially by exploiting vulnerabilities.

Once executed, the backdoor first performs several detection-evasion and anti-forensics steps. This involves copying itself to the Linux ramdisk, altering timestamps, setting itself up to masquerade as a legitimate process running on the system, and deleting certain environment data for process execution that could be useful to forensics tools. 

According to the Sandfly researchers, the backdoor doesn't have a persistence mechanism or routine built-in, so this is likely achieved by attackers manually by deploying persistence scripts.

Once running on a system, the backdoor loads a BPF filter, which allows it to monitor network packets arriving on the system on various protocols such as ICMP (ping), TCP and UDP. The goal of this filter is to discard all packets and only process ones that have a magic value in their header accompanied by a password. These packets are used by the attackers to open remote shells on the infected systems.

"The relevance of the BPF filter and packet capture is that it is sniffing traffic at a lower level than the local firewall," the researchers explained. 

"This means that even if you run a firewall the implant will see, and act upon, any magic packet sent to the system. The firewall running on the local host will not block the implant from having this visibility. This is an important point to understand."

What it means in practice is that if for example, the system firewall is configured to only allow connections to a web application running on the server on port 443 (HTTPS), for example, external attackers can use this to send a so-called magic packet and activate the backdoor without the firewall being able to block it. In other words, it piggybacks on legitimate network traffic that's already allowed on the system.

Furthermore, when the encrypted magic packet is received the backdoor will open a root shell on a high port locally on the system and will use the iptables Linux firewall to set a rule that redirects all traffic originating from the attacker's IP address to the shell port. 

So once the backdoor is activated, if the attackers connect again to the system over port 443, they will instead be greeted with a root shell instead of the web application. Requests from all other IP addresses and legitimate users will continue to be handled normally and be sent to the web application.

Instead of waiting for attackers to connect to the shell, the backdoor can also set up a reverse shell that actively connects back to the attackers, but this is more easily detected if the system is configured to block outgoing connections.

"The use of BPF and packet capture provides a way to bypass local firewalls to allow remote attackers to control the implant," the researchers said. "Finally, the redirect feature is unique and very dangerous as it can make malicious traffic blend in seamlessly with legitimate traffic on an infected host with exposed ports to the internet.

How to detect BPFdoor

According to PwC's report, the Red Menshen group uses a variety of post-exploitation tools for lateral movement inside corporate networks after gaining a foothold with BPFdoor. 

This includes custom variants of the Mangzamel and Gh0st Windows Trojan programs, as well as open-source tools such as Mimikatz and Metasploit. The attackers use virtual private servers hosted at well-known providers to control the BPFDoor implants and also rely on compromised routers in Taiwan to connect to and manage those servers.

Beaumont and researcher Florian Roth have both shared YARA rules that can be used to scan for different BPFDoor samples inside environments. The Sandfly Security researchers have also shared indicators of compromise and hunting tactics in their analysis warning that simply searching for file hashes is not reliable since malicious binaries can easily be recompiled and changed on Linux.

It's also worth noting that the abuse of BPF, while rare, is not new. In February, a Chinese cybersecurity firm called Pangu Lab released a report on a backdoor implant they attributed to the U.S. National Security Agency (NSA) and dubbed Bvp47. 

That implant also relied on BPF to establish a covert communication channel. Beaumont warned at the time that the cybersecurity industry seemed to ignore the significance and potential dangers of BPF and eBPF (extended BPF) being used to evade detection.