BPFDoor Controller
Cybersecurity researchers have identified a new controller component linked to the notorious BPFDoor backdoor. This latest discovery comes amid ongoing cyberattacks targeting telecommunications, finance, and retail sectors across South Korea, Hong Kong, Myanmar, Malaysia and Egypt in 2024.
Table of Contents
Digging Deeper: Reverse Shell and Lateral Movement Capabilities
The newly discovered controller can open a reverse shell, which is a powerful tool for attackers. This functionality enables lateral movement—allowing cybercriminals to dig deeper into compromised networks, take control of more systems, and potentially access sensitive data.
Attribution Puzzle: Who’s Behind the Curtain?
These attacks have been tentatively linked to a threat group dubbed Earth Bluecrow, also known by aliases like DecisiveArchitect, Red Dev 18, and Red Menshen. However, this attribution comes with medium confidence. The reason? BPFDoor's source code was leaked in 2022, meaning other threat actors may now be leveraging it as well.
BPFDoor: A Persistent and Covert Espionage Tool
BPFDoor is a Linux backdoor first exposed in 2022, though it had already been in use for at least a year, targeting organizations in Asia and the Middle East. What sets it apart is its ability to maintain long-term, covert access to compromised machines—perfect for espionage operations.
How It Works: The Magic of the Berkeley Packet Filter
The malware's name comes from its use of the Berkeley Packet Filter (BPF). BPF allows the software to inspect incoming network packets for a specific 'Magic Byte' sequence. When this unique pattern is detected, it triggers the backdoor—even if a firewall is in place. This is due to how BPF operates at the kernel level, bypassing traditional firewall protections. While common in rootkits, this technique is rare in backdoors.
A New Player: The Undocumented Malware Controller
Recent analysis reveals that compromised Linux servers were also infected with a previously undocumented malware controller. Once inside the network, this controller facilitates lateral movement and extends the attacker's reach across other systems.
Before sending a 'magic packet,' the controller prompts the operator for a password—this same password must match a hard-coded value within the BPFDoor malware. If authenticated, it can execute one of several commands:
- Open a reverse shell
- Redirect new connections to a shell on a specific port
- Verify if the backdoor is still active
Enhanced Capabilities: Protocol Support and Encryption
The controller is versatile, supporting TCP, UDP, and ICMP protocols. It also features an optional encrypted mode for secure communication. An advanced direct mode allows attackers to instantly connect to infected machines—again, only with the correct password.
Looking Ahead: The Expanding Threat of BPF
BPF opens new and largely unexplored territory for cyber attackers. Its ability to sneak past traditional defenses makes it an appealing tool for sophisticated malware authors. For cybersecurity professionals, understanding and analyzing BPF-based threats is crucial to staying ahead of future attacks.
