Malicious Tool BPFDoor Evades Detection for Years

Security researchers recently came up with a worrying revelation. A malicious tool associated with Chinese threat actors turned out to be deployed on "thousands" of systems running Linux. The shocking part of that news is that the malware in question, dubbed BPFDoor, managed to remain on those computers and dodge detection for roughly five years.

Earlier this year, researchers with security firm Pangu Lab picked apart another backdoor malware using BPF on Linux systems, called Bvp47. BPF stands for "Berkeley Packet Filter", a technology originally associated with Linux-based systems and used for network analysis.

The newly discovered BPFDoor malware was discovered after a file sample that was analyzed by multiple parties turned out to be a controller belonging to the BPFDoor malware. The same malware was associated with an entity called Red Menshen - an advanced persistent threat actor that is believed to operate out of China and is also known by the handle Red Dev 18.

The backdoor tool allows malicious actors to gain remote code execution capabilities on a compromised system without ever opening any new network ports to forward the commands through and without altering any firewall rules.

The malware is particularly hard to detect on the Linux systems it infects due to several factors. The low profile it keeps, never altering firewall rules and never doing anything suspicious with ports is one of those factors. Additionally, BPFDoor does not communicate with an outbound command and control server. Finally, the backdoor can also rename its own process and show up as a friendly process name if the victim system is examined using the "ps aux" command.

The entity behind BPFDoor, Red Menshen or Red Dev 18, is associated with cyberespionage and has previously targeted entities working in telecoms and located in both Asia and the Middle East.

May 13, 2022