Cybersecurity researchers have unearthed a new controller component associated with a known backdoor called BPFDoor as part of cyber attacks targeting telecommunications, finance, and retail sectors in South Korea, Hong Kong, Myanmar, Malaysia, and Egypt in 2024.
“The controller could open a reverse shell,” Trend Micro researcher Fernando Mercês said in a technical report published earlier in the week. “This could allow lateral movement, enabling attackers to enter deeper into compromised networks, allowing them to control more systems or gain access to sensitive data.
The campaign has been attributed with medium confidence to a threat group it tracks as Earth Bluecrow, which is also known as DecisiveArchitect, Red Dev 18, and Red Menshen. The lower confidence level boils down to the fact that the BPFDoor malware source code was leaked in 2022, meaning it could also have bee adopted by other hacking groups.
BPFDoor is a Linux backdoor that first came to light in 2022, with the malware positioned as a long-term espionage tool for use in attacks targeting entities in Asia and the Middle East at least a year prior to public disclosure.
The most distinctive aspect of the malware is that it creates a persistent-yet-covert channel for threat actors to control compromised workstations and access sensitive data over extended periods of time.
The malware gets its name from the use of Berkeley Packet Filter (BPF), a technology that allows programs to attach network filters to an open socket in order to inspect incoming network packets and monitor for a specific Magic Byte sequence so as to spring into action.
“Because of how BPF is implemented in the targeted operating system, the magic packet triggers the backdoor despite being blocked by a firewall,” Mercês said. “As the packet reaches the kernel’s BPF engine, it activates the resident backdoor. While these features are common in rootkits, they are not typically found in backdoors.”
The latest analysis from Trend Micro has found that the targeted Linux servers have also been infected by a previously undocumented malware controller that’s used to access other affected hosts in the same network after lateral movement.
“Before sending one of the ‘magic packets’ checked by the BPF filter inserted by BPFDoor malware, the controller asks its user for a password that will also be checked on the BPFDoor side,” Mercês explained.
In the next step, the controller directs the compromised machine to perform one of the below actions based on the password provided and the command-line options used –
Open a reverse shell
Redirect new connections to a shell on a specific port, or
Confirm the backdoor is active
It’s worth pointing out that the password sent by the controller must match one of the hard-coded values in the BPFDoor sample. The controller, besides supporting TCP, UDP, and ICMP protocols to commandeer the infected hosts, can also enable an optional encrypted mode for secure communication.
Furthermore, the controller supports what’s called a direct mode that enables the attackers to directly connect to an infected machine and obtain a shell for remote access – but only when provided the right password.
“BPF opens a new window of unexplored possibilities for malware authors to exploit,” Mercês said. “As threat researchers, it is a must to be equipped for future developments by analyzing BPF code, which will help protect organizations against BPF-powered threats.”
