Researchers have uncovered a highly-evasive Chinese surveillance tool using the Berkeley Packet Filter (BPF). The malware, dubbed BPFDoor, is present on “thousands” of Linux systems, its controller has gone almost completely unnoticed by endpoint protection vendors despite it being in use for at least five years.
This is the second malware type using BPF in Linux for covert surveillance revealed this year, following Pangu Lab’s discovery of an apparent NSA backdoor, which they named Bvp47 in Feb 2022. Security researcher Kevin Beaumont suggested at the time that BPF (or extended BPF, eBPF) was being used by other threat actors.
Beaumont, who previously worked at Microsoft, warned then of the security implications of bring eBPF to other platforms beyond Linux, including Windows. “I really, really hope Microsoft have threat modelled what will happen to security when they bake eBPF into the base OS,” he said on Twitter. (Microsoft in March 2021 announced a new open source project to make eBPF work on Windows 10 and Windows Server 2016 and later.)
BPF was originally used for high-performance packet tracing and network analysis. But eBPF now allows sandboxed execution of code within an OS kernel, making it much more powerful – and also a much more useful tool for attackers. eBPF programmes can be used for tracing, instrumentation, hooking system calls, debugging, and packet capturing/filtering. It has drawn increased attention from offensive security professionals.
Follow The Stack on LinkedIn
Last week Beaumont posted a file to VirusTotal, quickly confirmed to be a controller from BPFDoor, which security researchers Ben Jackson and Will Bonner from PWC have been tracking since 2021, used by a threat actor PWC calls Red Menshen. The pair will present more details at the Troopers conference in June.
“[BPFDoor] allows a threat actor to backdoor a system for remote code execution, without opening any new network ports or firewall rules. For example, if a webapp exists on port 443, it can listen and react on the existing port 443, and the implant can be reached over the webapp port (even with the webapp running),” Beaumont wrote in a blog post rounding up available BPFDoor information and his own analysis.
“Because BPFDoor doesn’t open any inbound network ports, doesn’t use an outbound C2, and it renames its own process in Linux (so ps aux, for example, will show a friendly name) it is highly evasive."
He said he swept the internet for BPFDoor in 2021, and found it installed in systems in the US and across Asia at organisations including “government systems, postal and logistic systems, education systems and more”. Beaumont said he believed the implant is present in “thousands of systems”.
He added: "If anybody is wondering how many abuse complaints it generated scanning the Internet for an unknown implant -- zero. Nobody noticed"
PWC’s annual cyber threats report said of Red Menshen: “This threat actor has been observed targeting telecommunications providers across the Middle East and Asia, as well as entities in the government, education, and logistics sectors using a custom backdoor we refer to as BPFDoor. This backdoor supports multiple protocols for communicating with a C2 including TCP, UDP, and ICMP allowing the threat actor a variety of mechanisms to interact with the implant.”
It was not immediately clear why PWC had not chosen to disclose methods of detection or IOCs for a widely deployed backdoor. Beaumont provided several IoC/IoA resources, including YARA rules, the presence of files in /dev/shm such as /dev/shm/kdmtmpflush, and a sandbox report from 2019. He also posted a link to BPFDoor hashes on VirusTotal, but noted “each implant has a unique hash, so hunting for file hashes is a BAD IDEA”.
Nextron Systems’ Florian Roth also uncovered BPFDoor sourcecode from 2018.
And Sandfly Security founder Craig Rowland posted a technical analysis of the surveillance tool on Twitter, with useful information on where to look for BPFDoor, noting: "[As the malware] goes resident it deletes itself from disk. The working directory is /dev/shm (Linux ramdisk). A system reboot ensures the area is wiped. You can see also where it masks the cmdline and command portions in /proc. A ps command shows the bogus name."