Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
Rapid7 Labs identified seven new BPFDoor variants abusing kernel-level Berkeley Packet Filters to maintain stealthy backdoor access in telecom environments. The new families, httpShell and icmpShell, use stateless ICMP and HTTP tunneling with “magic” packet formats and concealed IP fields to establish command-and-control with minimal observable footprint. The report explains how the implants aim to stay nearly invisible through process masquerading, file-descriptor cleanup, timestomping, and encrypted ICMP communications.
Investigation
Researchers analyzed nearly 300 samples and extracted new BPF bytecode traits, fresh “magic byte” markers, and variant-specific process names such as hpasmlited and cmathreshd. Lab validation in Docker reproduced ICMP-driven PTY tunneling, RC4-encrypted payload exchange, and a routing behavior where a –1 flag returns traffic back to the packet’s source address. The team also uncovered supporting infrastructure, including domains posing as NTP-over-SSL services used to blend staging and control traffic.
Mitigation
Prioritize telemetry that exposes kernel-adjacent abuse: monitor AF_PACKET socket creation, detect BPF filter attachment, and hunt for protocol anomalies tied to these variants, including ICMP sequence 1234 and an invalid ICMP code 1. Alert on suspicious daemons with missing executable paths, spoofed service names, or runtime characteristics inconsistent with legitimate system processes. Rapid7 recommends running the rapid7_bpfdoor_check.sh triage script and updating YARA/Suricata detections with the newly documented magic-byte signatures.
Response
If indicators are found, isolate the system, stop the suspected implant process, and block the associated domains and IP ranges. Capture memory and disk artifacts to preserve BPF state and runtime evidence, then use rapid7_bpfdoor_check.sh to identify active BPF filters and related zero-byte mutex artifacts. Finally, refresh detections with the published signatures and continue monitoring for reappearance of the same packet markers, process names, and filter-attachment behaviors.
graph TB %% Class Definitions classDef technique fill:#ffcc99 classDef action fill:#99ccff classDef tool fill:#cccccc classDef process fill:#c2f0c2 classDef malware fill:#f4c2c2 %% Nodes – Persistence tech_socket_filters[“<b>Technique</b> – T1205.002 Traffic Signaling: Socket Filters<br/><b>Description</b>: Creates AF_PACKET sockets with BPF filters to monitor all network traffic and detect a magic packet that triggers the backdoor.”] class tech_socket_filters technique %% Nodes – Defense Evasion (Masquerading) tech_masq_task_service[“<b>Technique</b> – T1036.004 Masquerade Task or Service<br/><b>Description</b>: Spoofs legitimate daemon names such as cmathreshd and qmgr to hide malicious activity.”] class tech_masq_task_service technique tech_overwrite_args[“<b>Technique</b> – T1036.011 Overwrite Process Arguments<br/><b>Description</b>: Overwrites process argument strings to further blend in with legitimate services.”] class tech_overwrite_args technique tech_rename_utils[“<b>Technique</b> – T1036.003 Rename Legitimate Utilities<br/><b>Description</b>: Renames common utilities to avoid detection by name‑based defenses.”] class tech_rename_utils technique tech_obfuscate_strings[“<b>Technique</b> – T1027 Obfuscated Files or Information<br/><b>Description</b>: Hides strings using stack‑based obfuscation to make static analysis difficult.”] class tech_obfuscate_strings technique %% Nodes – Hide Artifacts tech_clear_history[“<b>Technique</b> – T1070.003 Clear Command History<br/><b>Description</b>: Clears shell history to remove evidence of attacker commands.”] class tech_clear_history technique tech_wipe_timestamps[“<b>Technique</b> – T1070.004 File Deletion<br/><b>Description</b>: Wipes file descriptors and timestamps to hinder forensic timelines.”] class tech_wipe_timestamps technique %% Nodes – Execution tech_unix_shell[“<b>Technique</b> – T1059.004 Unix Shell<br/><b>Description</b>: Spawns a pseudo‑terminal via fork/dup2 to obtain an interactive Unix shell.”] class tech_unix_shell technique tech_break_process[“<b>Technique</b> – T1036.009 Break Process Trees<br/><b>Description</b>: Breaks the normal process ancestry to hide the malicious shell from parent‑child relationship checks.”] class tech_break_process technique %% Nodes – Command & Control (HTTP) tech_http_c2[“<b>Technique</b> – T1071.001 Application Layer Protocol: Web Protocols<br/><b>Description</b>: Exfiltrates commands and responses via HTTP POST requests (httpShell variant).”] class tech_http_c2 technique %% Nodes – Command & Control (ICMP) tech_icmp_tunnel[“<b>Technique</b> – T1572 Protocol Tunneling<br/><b>Description</b>: Tunnels an interactive PTY over ICMP echo requests (icmpShell variant).”] class tech_icmp_tunnel technique tech_rc4_encryption[“<b>Technique</b> – T1573.001 Encrypted Channel: Symmetric Cryptography<br/><b>Description</b>: Encrypts tunneled payload with RC4 before embedding in ICMP packets.”] class tech_rc4_encryption technique tech_data_obfuscation[“<b>Technique</b> – T1001 Data Obfuscation<br/><b>Description</b>: Adds a clear‑text \”X:\” prefix to each ICMP payload to confuse simple parsers.”] class tech_data_obfuscation technique %% Nodes – Traffic Signaling (Port Knocking) tech_port_knocking[“<b>Technique</b> – T1205.001 Traffic Signaling: Port Knocking<br/><b>Description</b>: Activation relies on specific magic bytes, sequence numbers and flags embedded in network packets.”] class tech_port_knocking technique %% Nodes – Proxy / Relay tech_proxy[“<b>Technique</b> – T1090 Proxy<br/><b>Description</b>: Rewrites a hidden IP field and forwards packets as ICMP to proxy traffic across internal network segments.”] class tech_proxy technique %% Nodes – Privilege Escalation / Persistence tech_create_process[“<b>Technique</b> – T1543 Create or Modify System Process<br/><b>Description</b>: Installs or modifies a system daemon, placing binaries in /var/run/user/0 to avoid audit logging.”] class tech_create_process technique %% Connections – Attack Flow tech_socket_filters –>|enables| tech_masq_task_service tech_masq_task_service –>|supports| tech_overwrite_args tech_overwrite_args –>|supports| tech_rename_utils tech_rename_utils –>|enhances| tech_obfuscate_strings tech_obfuscate_strings –>|helps hide| tech_clear_history tech_clear_history –>|completes| tech_wipe_timestamps tech_wipe_timestamps –>|prepares environment for| tech_unix_shell tech_unix_shell –>|breaks| tech_break_process tech_break_process –>|provides channel for| tech_http_c2 tech_break_process –>|provides channel for| tech_icmp_tunnel tech_icmp_tunnel –>|uses| tech_rc4_encryption tech_rc4_encryption –>|adds| tech_data_obfuscation tech_port_knocking –>|triggers| tech_socket_filters tech_socket_filters –>|used by| tech_proxy tech_proxy –>|relays traffic to| tech_http_c2 tech_proxy –>|relays traffic to| tech_icmp_tunnel tech_create_process –>|establishes persistence as| tech_masq_task_service %% Styling class tech_socket_filters,tech_masq_task_service,tech_overwrite_args,tech_rename_utils,tech_obfuscate_strings,tech_clear_history,tech_wipe_timestamps,tech_unix_shell,tech_break_process,tech_http_c2,tech_icmp_tunnel,tech_rc4_encryption,tech_data_obfuscation,tech_port_knocking,tech_proxy,tech_create_process technique
Attack Flow
Detections
Possible Dynamic DNS Service Was Contacted (via dns)
View
IOCs (HashSha256) to detect: New Whitepaper: Stealthy BPFDoor Variants are a Needle That Looks Like Hay
View
Detection of BPFDoor Variants via Process Anomalies [Linux Process Creation]
View
Detection of BPFDoor Magic Packet and ICMP Anomalies [Firewall]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Attack Narrative & Commands
- Create a malicious Bash script in the rarely‑monitored path
/var/run/user/0. - Make the script executable and then delete the file while keeping it open, resulting in a deleted inode that the kernel logs as part of the command line when the process continues to run.
- Execute the dangling file descriptor, causing the process to run from a deleted inode and generating the exact telemetry the Sigma rule looks for.
- Verify that the process command line in audit logs contains the string “deleted inode”, satisfying
selection3. - Avoid the excluded masquerading strings (
hpasmlited,cmathreshd) to ensure the rule fires.
Regression Test Script
#!/usr/bin/env bash
# -------------------------------------------------
# BPFDoor‑style execution-from‑deleted‑inode test
# -------------------------------------------------
# 1. Prepare a malicious (harmless) payload
PAYLOAD="/var/run/user/0/malicious.sh"
echo -e "#!/usr/bin/env bashnsleep 60" > "$PAYLOAD"
chmod +x "$PAYLOAD"
# 2. Open the file descriptor (keep the file open)
exec 3<"$PAYLOAD"
# 3. Delete the file from the filesystem – inode remains open via FD 3
rm -f "$PAYLOAD"
# 4. Execute the script via its dangling file descriptor.
# The /proc/self/fd/3 symlink points to the now‑deleted inode.
bash /proc/self/fd/3 &
# 5. Give the process a moment to start and be logged
sleep 5
# 6. Clean up: close the file descriptor
exec 3<&-
echo "Simulation completed – check SIEM for alerts."Cleanup Commands
#!/usr/bin/env bash
# -------------------------------------------------
# Cleanup after BPFDoor simulation
# -------------------------------------------------
# Kill any lingering sleep processes started by the script
pkill -f "sleep 60"
# Ensure no leftover files in the target directory
rm -f /var/run/user/0/malicious.sh
echo "Cleanup finished."End of Report