Full Report
Cybersecurity researchers have unearthed a new controller component associated with a known backdoor called BPFDoor as part of cyber attacks targeting telecommunications, finance, and retail sectors in South Korea, Hong Kong, Myanmar, Malaysia, and Egypt in 2024. "The controller could open a reverse shell," Trend Micro researcher Fernando Mercês said in a technical report published earlier in
Analysis Summary
# Tool/Technique: BPFDoor Controller (Associated with BPFDoor Backdoor)
## Overview
A newly discovered controller component associated with the BPFDoor Linux backdoor, utilized in cyber attacks primarily targeting sectors like telecommunications, finance, and retail across South Korea, Hong Kong, Myanmar, Malaysia, and Egypt in 2024. This component facilitates stealthy lateral movement within compromised networks by interacting with the pre-existing BPFDoor backdoor mechanism.
## Technical Details
- Type: Tool (Controller component exploiting a Backdoor)
- Platform: Linux Servers
- Capabilities: Opening reverse shells, redirecting connections to a shell on a specific port, confirming backdoor activity, supporting TCP, UDP, and ICMP protocols, and offering an optional encrypted mode and a direct connection mode.
- First Seen: The controller appears in attacks observed in 2024, associated with the BPFDoor malware first publicized in 2022.
## MITRE ATT&CK Mapping
The primary focus of the controller is facilitating command and control and moving within the network infrastructure.
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol (: Utilizing TCP/UDP/ICMP for C2/Communication)
- **TA0008 - Lateral Movement**
- T1021 - Remote Services
- T1021.001 - Remote Desktop Protocol (Implied, via reverse shell/port redirection giving remote access)
## Functionality
### Core Capabilities
- **Reverse Shell Execution:** The controller can trigger the BPFDoor backdoor to open a reverse shell on the compromised host.
- **Connection Redirection:** It can redirect new inbound connections to a shell running on a specified port on the infected machine.
- **Authentication:** Requires a password provided by the user to interact with the underlying BPFDoor mechanism; this password must match one hard-coded in the BPFDoor sample.
### Advanced Features
- **Stealthy Lateral Movement:** Enables attackers to pivot from an initially compromised host to other machines on the same network.
- **Protocol Support:** Supports TCP, UDP, and ICMP protocols for commanding infected hosts.
- **Encryption:** Supports an optional encrypted mode for secure command and control communication.
- **Direct Mode:** Allows attackers to directly connect to the infected machine.
## Indicators of Compromise
*Note: Specific IoCs (hashes, IPs) were not provided in the context.*
- File Hashes: [Not provided]
- File Names: [Not provided]
- Registry Keys: [Not applicable/Not provided]
- Network Indicators: [Network traffic/behavior associated with C2 communications over TCP, UDP, ICMP, potentially utilizing specific magic packets.]
- Behavioral Indicators: Observing network activity that triggers the BPF filter on the victim machine, or attempts to use specific passwords to illicit communication channels.
## Associated Threat Actors
- Earth Bluecrow (Also tracked as DecisiveArchitect, Red Dev 18, and Red Menshen)
## Detection Methods
- Signature-based detection: Signatures targeting the BPFDoor malware itself (which installs the filter).
- Behavioral detection: Monitoring for unusual kernel behavior or packet inspection anomalies indicating the BPF mechanism being triggered by a specific "Magic Byte sequence." Monitoring port redirection or successful reverse shell executions initiated via non-standard means.
- YARA rules: [Not provided]
## Mitigation Strategies
- **Network Filtering:** While BPFDoor can circumvent traditional firewalls by operating at the kernel/socket level, robust intrusion detection systems (IDS) monitoring for anomalies in packet headers or the BPF/eBPF layer might offer detection.
- **System Hardening:** Ensure Linux systems are kept up to date to mitigate potential vulnerabilities leading to the initial backdoor infection.
- **Monitoring BPF Usage:** Monitor for the creation or modification of BPF filters, which is a highly specific indicator of compromise for this malware family.
## Related Tools/Techniques
- BPFDoor (The underlying Linux backdoor that utilizes Berkeley Packet Filter (BPF) technology to listen for a "Magic Byte sequence" to activate itself, even when firewalls are active.)
- Rootkits (The technique of utilizing BPF filters for covert activation is noted as being similar to rootkit functionality.)