BPFDoor Malware Detection: Evasive Surveillance Tool Used to Spy on Linux Devices

Bad luck for Linux-based system maintainers – security experts have revealed a sophisticated surveillance implant that has flown under the radars of endpoint protection vendors for five years, secretly infecting thousands of Linux environments. Dubbed BPFDoor, the malware abuses the Berkeley Packet Filter (BPF) to act as a backdoor and proceed with reconnaissance. This makes the recently-uncovered tool a second BPF-based attack documented in 2022, with the NSA backdoor being the initial one. 

Detect BPFDoor Malware

The Sigma-based detection below is provided by our keen Threat Bounty developer Kaan Yeniyol, keeping a close eye on emerging threats:

Chinese Threat Actors Use BPFDoor Backdoor to Target Linux Machines

This detection has translations for the following SIEM, EDR & XDR platforms: Microsoft Sentinel, Elastic Stack, Splunk, Humio, Sumo Logic, ArcSight, QRadar, FireEye, LogPoint, SentinelOne, Graylog, Regex Grep, RSA NetWitness, Chronicle Security, Microsoft Defender ATP, Securonix, Apache Kafka ksqlDB, Carbon Black, Open Distro, and AWS OpenSearch.

The rules are aligned with the latest MITRE ATT&CK® framework v.10, addressing the Execution tactic with Command and Scripting Interpreter (T1059) as the primary technique.

Cybersecurity experts are encouraged to join the Threat Bounty program to benefit from the collaborative expertise of 23,000+ professionals, increase threat hunting velocity, and get rewarded for their threat detection content.

View Detections Join Threat Bounty

What Is BFPDoor?

According to the PwC Threat Intelligence findings, the BFPDoor implant has been actively leveraged in the wild by a China-affiliated APT group known as Red Menshen. Particularly, the group leveraged the custom backdoor in a plea of targeted attacks against telecom organizations, government entities, educational institutions, and logistics firms across the Middle East and Asia.

Adversaries leverage a legitimate technology, The Berkeley Packet Filter (BPF), intended to be used for data packets’ transmissions and access regulation as well as network traffic analysis. Today, BPF-based attacks are on the rise, with a growing number of threat actors becoming interested in using the tool for their offensive purposes.

BFPDoor is a Linux-based malicious implant mainly used for surveillance purposes. The attack mechanism presumes the abuse of extended versions of BPF technology. Adversaries can penetrate a victim’s system and execute remote code without having to open any inbound network ports or new firewall rules upon planting the malicious implant. Hackers leverage compromised Taiwan-located routers as VPN tunnels to run BPFDoor via Virtual Private Servers (VPSs).

BPFDoor victims have slim to no chances of detecting a stealthy BPFDoor malicious implant once it goes resident. According to the current data, thousands of systems have been already compromised with this malware strain, yet the affected users remain unaware of the breach and implant’s persistence in the system.

Do not postpone your defense enhancement – avail the benefits of SOC Prime’s Detection as Code platform to ensure your SOC team implements the most recent detection content as swiftly as possible. To stay in the know regarding the existing and upcoming threats, follow the updates of a SOC Prime blog, which keeps SOC experts abreast of the dynamic cybersecurity industry’s scenery.