BPFDoor is a Linux/Unix backdoor that allows threat actors to remotely connect t...
BPFdoor, a Linux-based backdoor malware that surfaced in an evasive mode, has been stealthily targeting Linux and Solaris systems stealthily for more than five years. It enables threat actors to remotely connect to a Linux shell to obtain complete access to compromised devices without opening any new network ports or firewall rules.
Kevin Beaumont uncovered this Linux-specific backdoor related to Chinese Red Menshen threat actors, but its source was posted [anonymously](https://pastebin.com/kmmJuuQP). In his [blog](https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896), he elaborately discloses that this backdoor has been operational worldwide for many years, with perhaps tens of thousands of cases.
While the malware doesn't require any open ports, it can’t be stopped by firewalls. It can respond to commands from any IP address on the web, making it the ideal tool for corporate cyberespionage and persistent attacks.
The BPFDoor source is concise, targeted, and well-written. While the sample we reviewed was Linux-specific, it could be easily ported to other platforms with a few minor modifications (a Solaris binary reportedly exists). BPF is generally available across multiple operating systems, and the core-shell functionalities are expected to function on multiple platforms with minimal change.
The dynamically linked binary is small at about 35K on Ubuntu:
`-rwxr-xr-x 1 root root 34952 May 11 00:03 bpfdoor`
It would grow to approximately 1 MB if statically linked, but the dynamically linked version would likely work on most modern Linux distributions. Cross-compilation for several CPUs is also possible; therefore, this implant is expected to be compatible with embedded Linux systems.
The implant itself lacks persistence mechanisms because it is extremely specialized for a specific function. Persistence must be initiated by the attacker in some other method, such as via rc or init scripts or crontab-scheduled activities. The initial report mentioned previously indicates the discovery of persistence scripts.
On Linux, the implant uses /dev/shm. This is a ramdisk, and its contents are erased with each reboot. To survive reboots, the implant must reside elsewhere on the host or be reinserted remotely for persistence considerations.
When incident response teams discover this implant in operation, they should assume that the actual malware is located somewhere on the file system. Assess all system boot scripts for unusual references to binaries or paths.
The binary clones itself to /dev/shm/kdmtmpflush, which only exists in RAM and is wiped with each reboot. The unique factor of the implant is that it sets a fake time to timestomp the binary before deletion.
`tv.tv_sec = 1225394236;`
`tv.tv_usec = 0;`
`tv.tv_sec = 1225394236;`
`tv.tv_usec = 0;`
## PID Dropper
The implant generates a PID file with zero bytes at /var/run/haldrund.pid. This file is removed if the implant finishes normally, but it may be left behind in the event of a hard shutdown or crash. If this file is present, the implant will not start, as it is used to indicate that it may already be running.
## Binary Deletion
The binary deletes itself after it starts, making a recovery more difficult. However, restoring a deleted process binary on Linux is simple once the system is operational (see our article on how to do it). The primary effect of deletion, however, is to shield the binary from detection by malware scanners that rely on file scanning. If the primary binary is hidden/encrypted on the device for persistence, it would be challenging to locate the binary.
On Linux, however, a removed process binary is highly suspect. If you search for any process that contains a deleted binary, the following as highlighted:
`ls -alR /proc/*/exe 2> /dev/null | grep deleted`
## Masquerading Tactics
`hald-addon-acpi: listening on acpi kernel interface /proc/acpi/event`
`pickup -l -t fifo -u`
`avahi-daemon: chroot helper`
The names are designed to resemble typical Linux system daemons. The implant overwrites the Linux /proc filesystem's argv value, which is used to decide the command line and command name to display for each process. By doing so, when you execute commands such as ps, the fictitious name will be displayed. The process executing under the alias dbus-daemon —system is displayed below.
![Bpfdoor ps listing.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Bpfdoor_ps_listing_f8aab890fd.jpg)
This masquerade tactic has existed for some time. While it functions, the true process name is still visible within Sandfly, along with the masked versions. A discrepancy of this nature between the actual process name and the command line values also suggests a problem.
Tristan Pourcelot of the [threat intelligence](https://exatrack.com/public/Tricephalic_Hellkeeper.pdf) and incident response company [Exatrack](https://exatrack.com/) noted in a technical examination of BPFDoor that the virus has multiple hard coded names that match command strings within relevant packets:
- Justtryit, Justrobot, and Justforfun to establish a bind shell on ports 42391 through 42491
- Socket or socket TCP establishes a reverse shot to an IP address in the packet.
BPFDoor's strategies for evading detection include renaming the binary so that it seems to be a typical Linux daemon.
## Bindshell Backdoor Bypassing Firewall
The malware employs a Berkeley Packet Filter (the BPF in the name of the backdoor) sniffer that operates at the network layer interface, allowing it to monitor all network activity and transmit packets to any destination.
Due to its placement at such a low level, BPF does not adhere to any firewall regulations.
It is available for Linux and Solaris SPARC platforms and might also be adapted to BSD. In addition, the operators utilize a "magical" password to regulate the actions of the implant.
BPFDoor only parses ICMP, UDP, and TCP packets, examining them for a particular data value and a password for UDP and TCP packets.
BPFDoor is distinguished because it can monitor any port for the magic packet, even if those ports are utilized by legitimate services such as webservers, FTP, or SSH.
If the TCP and UDP packets include the correct "magic" data and a valid password, the backdoor activates and executes a supported command, such as establishing a bind or reverse shell.
![Firewall redirect diagram.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Firewall_redirect_diagram_8fd755fffb.jpg)
Researchers were able to identify BPFDoor activity on the networks of companies in several regions, including the United States, South Korea, Hong Kong, Turkey, India, Vietnam, and Myanmar.
11 Speedtest servers were surprisingly infected with BPFDoor. It is unknown, according to the researcher, how these devices were infiltrated, given that they operate on closed-source software.
## Conclusive Finding
Leveraging techniques like environment anti-forensics, timestomping, and process masquerade, this implant is well-executed. The combination of BPF and packet capture allows remote attackers to manipulate the implant by circumventing local firewalls. Lastly, the redirect capability is unique and extremely hazardous because it can blend malicious and legitimate traffic on an infected host with exposed ports.
The code does not reveal much about its writers, but an expert definitely wrote it to evade detection.