According to new study into the inner workings of the stealthy BPFdoor malware for Linux and Solaris, the threat actor behind it used an existing weakness to gain persistence on targeted computers.

BPFDoor is a bespoke backdoor that has been used in assaults on telecommunications, government, education, and logistical businesses for at least five years.

Malware was recently found and originally disclosed by PricewaterhouseCoopers (PwC) researchers, who ascribed it to a Chinese threat actor they track as Red Menshen.

PwC detected BPFDoor during an incident response engagement in 2021. Closer inspection of the virus revealed that it got commands via Virtual Private Servers (VPS) managed by hacked Taiwanese routers.

Craig Rowland, the creator of Sandfly Security, and Kevin Beaumont subsequently conducted extensive research demonstrating the incredibly invasive nature of the virus, which can essentially evade the majority of detection systems.

BPFDoor is immune to firewalls, can operate without opening any ports, and does not require a command and control server because it can accept orders from any IP address on the web. Utilizing a public flaw

CrowdStrike, a cybersecurity firm, detected a threat actor that primarily targeted Linux and Solaris systems with the bespoke BPFDoor implant on telecommunications companies in order to collect personal user information (e.g. call detail records, data on specific phone numbers).

CrowdStrike is monitoring the backdoor under the moniker JustForFun and attributing it to an attacker known as DecisiveArchitect. Since 2019, the researchers have investigated this adversary's behavior on many occasions.

"DecisiveArchitect demonstrates a high level of operational security as part of their efforts to make it more difficult for defenders to identify and examine their activities by employing a variety of defensive evasion measures" - CrowdStrike

In a study released today, the researchers describe how defenders can identify the BPFDoor implant and highlight approaches utilized throughout Solaris systems.

After gaining access to a Solaris system, DecisiveArchitect exploits CVE-2019-3010, a vulnerability in the XScreenSaver component of the Solaris operating system, to acquire root privileges (version 11.x).

The vulnerability's exploit code has been publicly available for three years, and it appears that DecisiveArchitect has made no effort to alter it.

The threat actor often begins exploiting the vulnerability "within a few minutes of the JustForFun implant placement," according to the findings of the researchers.

On Solaris systems, the threat actor exploits the LD PRELOAD environment variable to accomplish functionality comparable to command-line spoofing observed on Linux hosts, according to CrowdStrike researchers.

To install the BPFDoor/JustForFun implant in the legitimate process /sbin/agetty, DecisiveArchitect began leveraging the LD PRELOAD environment variable on Linux systems beginning in April 2022.

"The faked command line appears in programs such as ps that can be used to analyze unusual host behavior," Manual CrowdStrike detection

Because the threat actor alters existing SysVinit scripts on the host to achieve persistence, the researchers note that identifying BPFDoor/JustForFun implants on a Linux system may prove challenging.

As a result, only examining the lines of code in SysVinit scripts is unlikely to disclose the implant's reference, and all file references should be investigated.

The file names and directories for the implant and the associated persistence-related scripts vary from system to system, making it even more difficult to detect.

CrowdStrike offers a series of tools that might assist defenders in determining if BPFDoor is present on their network by finding running processes with an open raw socket:

The Linux lsof program will indicate a faked command line and assist analysts in listing open files connected with a process ID.

The instructions for Solaris systems will go over each process searching for strings that indicate a process is running with a packet filter and searching for processes that have loaded the libpcap library.

While these instructions cannot definitely expose the implant on their own, they are valuable in determining if additional research of suspicious behaviour is required.

Today's CrowdStrike report provides a list of signs of compromise for Linux and Solaris systems, in addition to two Windows programs whose purpose is currently unknown.

During the early phases of the incursion, the threat actor behind BFPDoor interacts with Windows PCs, according to the researchers, although they did not detect any special implants for this operating system.