A newly discovered controller linked to the state-sponsored BPFDoor malware has been used in cyber espionage campaigns targeting the telecommunications, finance, and retail sectors across South Korea, Hong Kong, Myanmar, Malaysia, and Egypt.
This controller, attributed to the advanced persistent threat (APT) group Earth Bluecrow (also known as Red Menshen), enables attackers to infiltrate deeper into compromised networks by opening reverse shells and redirecting connections.
Overview of BPFDoor Malware
BPFDoor is a highly stealthy backdoor malware that leverages Berkeley Packet Filtering (BPF) technology.
BPF allows the malware to inspect network packets at the kernel level, bypassing firewalls and remaining undetected during routine security scans.
The malware activates upon receiving network packets containing specific “magic sequences,” enabling attackers to execute commands on infected machines without raising suspicion.
The malware’s ability to evade detection stems from its rootkit-like features, including changing process names and avoiding port listening.
These capabilities make BPFDoor an ideal tool for long-term espionage operations.
Recent Targets and Techniques
Trend Micro’s telemetry indicates that BPFDoor attacks have intensified in recent months, focusing on Linux servers in the Asia, Middle East, and Africa (AMEA) regions. The industries targeted include:
- Telecommunications: South Korea (July 2024, December 2024), Hong Kong (January 2024), Myanmar (December 2024)
- Retail: Malaysia (October 2024)
- Financial Services: Egypt (September 2024)
Attackers use various techniques to hide malicious files within compromised systems, such as storing them in paths like /tmp/zabbix_agent.log or /bin/vmtoolsdsrv. These files serve as initial entry points for further infiltration.
Capabilities of the Hidden Controller
The newly identified controller adds significant functionality to BPFDoor attacks.
It supports multiple protocols—TCP, UDP, and ICMP—and offers options for encryption and password authentication.
Key features include:
- Reverse Shells: Attackers can open encrypted reverse shell sessions to control infected machines remotely.
- Direct Connections: The controller can directly connect to infected hosts using TCP ports.
- Magic Sequence Customization: Attackers can manually set magic sequences to avoid detection by defenders.
The controller uses hard-coded passwords combined with MD5 hashing for authentication.
Once authenticated, it allows attackers to execute commands or redirect connections on infected systems.
Technical Demonstrations
Trend Micro researchers demonstrated how attackers use the controller to establish reverse shell sessions.
For instance, an attacker machine with IP 192.168.32.133 can command an infected machine at 192.168.32.156 to connect back using port 8000/tcp.
This process involves sending activation packets containing the magic sequence, IP address, port number, and password.
In addition to TCP mode, attackers can exploit UDP or ICMP protocols if TCP ports are unavailable.
ICMP mode is particularly concerning as it enables communication even when no internet-facing ports are open.
Defensive Measures
To counter BPFDoor’s stealthy operations, Trend Micro recommends monitoring network packets for specific patterns:
- TCP payloads, starting with
0x5293 - UDP payloads beginning with
0x7255 - ICMP packets containing similar magic sequences
However, defenders must employ deeper packet analysis due to the controller’s ability to customize magic bytes.
Attribution and Outlook
Trend Micro attributes these campaigns to Earth Bluecrow with medium confidence based on coding similarities and targeting patterns.
While BPFDoor’s source code was leaked in 2022, no other groups have been linked to similar operations since then.
Looking ahead, researchers warn that BPF technology could be exploited more broadly across Linux systems and potentially adapted for Windows environments.
Proactive measures such as analyzing BPF code and deploying advanced intrusion prevention systems are critical.
Proactive Security Solutions
Trend Micro offers robust protection against BPFDoor through its Trend Vision One™ platform.
This AI-powered cybersecurity solution provides real-time threat intelligence and hunting queries for identifying malicious indicators within enterprise environments.
By leveraging tools like Deep Discovery Inspector and TippingPoint Intrusion Prevention filters, organizations can mitigate risks posed by BPFDoor and other emerging threats effectively.
As cyber espionage campaigns evolve, vigilance against stealthy backdoors like BPFDoor remains essential for safeguarding critical infrastructure across global industries.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=This controller, attributed to the APT group Earth Bluecrow, enables attackers to infiltrate deeper into compromised networks.){kind=link}