BPFDoor Linux Malware Detected by AhnLab EDR
BPFDoor is a backdoor using the Berkeley Packet Filter (BPF), first revealed through a threat report by PWC in 2021 [1]. According to the report, the China-based threat actor Red Menshen has been using BPFDoor for several years in attacks targeting the Middle East and Asia regions, with its source being released recently.
BPFDoor abuses BPF to operate by sending a magic packet. This means that BPFDoor does not need to connect first to a C&C server or keep a specific port continuously open like typical backdoors, allowing it to remain stealthily on the infected system.
This post will summarize a method to detect BPFDoor installed in Linux systems using AhnLab EDR and provide brief analysis information on the malware.
1. Berkeley Packet Filter (BPF)
BPF is a technology that allows user mode programs to attach to network filters, permitting or denying incoming data through sockets. In other words, a program that is running can register packet filtering rules on network sockets in use, enabling them to read data or receive notifications.
BPFDoor also utilizes BPF and registers the following filter after installation. This filter is responsible for checking 0x5293 for the TCP protocol and 0x7255 for the UDP and ICMP protocol’s Echo Request.
Figure 1. The BPF filter registered by BPFDoor
| Protocol | Magic Packet |
|---|---|
| TCP | 0x5293 |
| UDP | 0x7255 |
| ICMP (Echo Request) | 0x7255 |
Table 1. BPF filter
The packet filter installed by BPFDoor examines packets, and if they match the magic packet, the filter sends them to BPFDoor.
2. BPFDoor
When BPFDoor is first executed, it uses the following commands to copy itself to the “/dev/shm” path under the name “kdmtmpflush” and then deletes itself. The /dev/shm path is a memory-based file system in Linux, mainly used by applications to store or process temporary data. However, as the path is operated only in the memory and is not recorded in disk, it is often exploited by attackers; BPFDoor is no exception to the case.
| /bin/rm -f /dev/shm/kdmtmpflush; /bin/cp [malware] /dev/shm/kdmtmpflush && /bin/chmod 755 /dev/shm/kdmtmpflush && /dev/shm/kdmtmpflush –init kdmtmpflush /bin/rm -f /dev/shm/kdmtmpflush |
Afterward, it selects one of the following strings to rename itself, using the prctl() function for the process.
Figure 2. Strings used to disguise the malware as a normal process
Once this process is complete, it registers the aforementioned BPF filter and waits. If the threat actor later sends a command containing a magic packet, the malware receives it from the BPF filter and branches. Depending on the password, there are options for a reverse shell, bind shell, and response. If the password in the source code is “justforfun,” it connects to the IP/port included in the magic packet to provide a reverse shell. If it is “socket,” it opens a new port and sets up a firewall to establish a connection from the threat actor. Finally, if the password does not match, it responds with “1” to the attacker, who can probably determine the infection status from this information.
Figure 3. Structure of the magic packet
Figure 4. Commands supported by BPFDoor
| Command | Password | Feature |
|---|---|---|
| 0 | pass (justforfun) | Reverse shell |
| 1 | pass2 (socket) | Bind shell |
| 2 | N/A | “1” response |
Table 2. Commands supported by BPFDoor
In the bind shell process, the malware opens a new port and sets up a firewall to redirect packets received from the threat actor’s IP address to the newly opened port. After the connection with the threat actor is established, the firewall rule that was added is removed.
| # /sbin/iptables -I INPUT -p tcp -s [threat actor IP] -j ACCEPT # /sbin/iptables -t nat -A PREROUTING -p tcp -s [threat actor IP] –dport [destination port] -j REDIRECT –to-ports [random port] # /sbin/iptables -t nat -D PREROUTING -p tcp -s [threat actor IP] –dport [destination port] -j REDIRECT –to-ports [random port] # /sbin/iptables -D INPUT -p tcp -s [threat actor IP] -j ACCEPT |
3. Detection Using AhnLab EDR
During its execution, BPFDoor is known for copying itself to the /dev/shm path. AhnLab EDR detects the behavior of a suspicious process copying itself to the /dev/shm path and granting execution permissions as a threat as shown below, helping administrators become aware of the behavior in advance.
Figure 5. Detecting the behavior of granting permissions to a file located in a suspicious path
As discussed above, when BPFDoor receives a command that matches a password, it opens a specific port and sets up a firewall to redirect packets received from the attacker. AhnLab EDR detects suspicious behaviors such as the behavior of adding or removing new rules using iptables and port redirection as key behaviors.
Figure 6. Detecting port redirection using iptables
The behaviors mentioned above are techniques that can be used by other malware strains as well. AhnLab EDR also detects suspicious behaviors of installed BPFDoor as threats, helping administrators recognize them to identify the cause and make appropriate responses.
Figure 7. Detecting BPFDoor using AhnLab EDR
4. Conclusion
BPFDoor was first revealed through a threat report by PWC in 2021 and is being used in attacks targeting various countries including those in Asia. Various affected entities such as telecommunications providers, logistics companies, education institutions, and government organizations have been identified, and the China-based attacker Red Menshen is known to have been using BPFDoor in attacks for years.
Unlike typical backdoor malware, BPFDoor exploiting BPF has the advantage of not needing to first connect to a C&C server or keep a suspicious port continuously open. In other words, BPFDoor can remain stealthily on the infected system without any suspicious signs and execute commands later by the threat actor sending a magic packet.
AhnLab EDR detects various suspicious behaviors identified during the installation and command execution processes of BPFDoor as threats and key behaviors, helping administrators recognize them in advance. Based on this, administrators can identify the cause and respond appropriately. Even after being exposed to an attack, they can also review the data from the affected system needed to investigate the infiltration incident as evidentiary data on the threat actor.
V3 Detection
Backdoor/Linux.BPFDoor.2442008
Backdoor/Linux.Bpfdoor.28832
Backdoor/Linux.BPFDoor.29324
Backdoor/Linux.BPFDoor.302576
Backdoor/Linux.BPFDoor.34475
Backdoor/Linux.BPFDoor.SE321
Backdoor/Linux.BPFDoor.SE322
Backdoor/Linux.BPFDoor.XE244
Trojan/Linux.Bpfdoor.27360
EDR Detection
– DefenseEvasion/EDR.Event.M12190
– Behavior/DETECT.Event.M12191
– DefenseEvasion/DETECT.Firewall.M12192
– DefenseEvasion/DETECT.Firewall.M12193
– Execution/EDR.BPFDoor.M12195
| Tactic | Technique |
|---|---|
| Execution (TA0002) | Command and Scripting Interpreter: Unix Shell (T1059.004) |
| Execution (TA0002) | Native API (T1106) |
| Defense Evasion (TA0005) | Masquerading: Masquerade Task or Service (T1036.004) |
| Defense Evasion (TA0005) | Impair Defenses: Disable or Modify System Firewall (T1562.004) |
| Defense Evasion (TA0005) | Indicator Removal on Host: File Deletion (T1070.004) |
| Defense Evasion (TA0005) | Indicator Removal on Host: Timestomp (T1070.006) |
| Defense Evasion (TA0005) | File and Directory Permissions Modification (T1222) |
| Command and Control (TA0011) | Traffic Signaling: Socket Filters (T1205.002) |
| Command and Control (TA0011) | Encrypted Channel (T1573) |
MITRE ATT&CK mapping information
To learn more about AhnLab EDR's advanced behavior-based detection and reponse, please click the banner below
