China-linked backdoor takes advantage of the Berkeley Packet Filter on Unix systems to hide its presence.

linux, cyber security
Credit: Dreamstime

Malware researchers warn about a stealthy backdoor program that has been used by a Chinese threat actor to compromise Linux servers at government and private organisations around the world, including Vietnam and Myanmar.

While the backdoor is not new and variants have been in use for the past five years, it has managed to fly under the radar and have very low detection rates. One reason for its success is that it leverages a feature called the Berkeley Packet Filter (BPF) on Unix-based systems to hide malicious traffic.

BPFdoor was named by researchers from PwC Threat Intelligence who attribute it to a Chinese group they call Red Menshen. The PwC team found the threat while investigating several intrusions throughout Asia last year and included a short section about it in their annual threat report released late last month.

This short mention didn’t get a lot of attention until independent security researcher Kevin Beaumont shared the link to a malware sample with low detection rate on VirusTotal a few days ago. 

This prompted confirmation by the PwC team that what Beaumont found was a controller for the passive BPFdoor backdoor. This then prompted a more detailed write-up by Beaumont who was also independently tracking the malware since last year.

“I swept the internet for BPFDoor throughout 2021 and discovered it is installed at organisations across the globe — in particular the U.S., South Korea, Hong Kong, Turkey, India, Vietnam and Myanmar, and is highly evasive,” Beaumont said in a blog post. “These organisations include government systems, postal and logistic systems, education systems and more.”

How BPFdoor abuses BPF

While the PwC researchers plan to share more details about the backdoor at a conference in June, other researchers, including Beaumont, have already located more samples on VirusTotal potentially uploaded by victims or other parties over the years. 

In addition to the samples, the source code of an older variant of the backdoor was posted online and was analysed by Linux intrusion detection and incident response firm Sandfly Security.

“The BPFDoor source is small, focused and well written,” the Sandfly researchers said. “While the sample we reviewed was Linux specific, with some small changes it could easily be ported to other platforms (a Solaris binary reportedly exists). BPF is widely available across operating systems and the core shell functions would likely work across platforms with little modification.”

To be deployed on a system effectively, the malware needs to be executed with root privileges. This suggests that the attackers are compromising the infected servers using other techniques, potentially by exploiting vulnerabilities.

Once executed, the backdoor first performs several detection-evasion and anti-forensics steps. This involves copying itself to the Linux ramdisk, altering timestamps, setting itself up to masquerade as a legitimate process running on the system, and deleting certain environment data for process execution that could be useful to forensics tools. 

According to the Sandfly researchers, the backdoor doesn’t have a persistence mechanism or routine built-in, so this is likely achieved by attackers manually by deploying persistence scripts.

Once running on a system, the backdoor loads a BPF filter, which allows it to monitor network packets arriving on the system on various protocols such as ICMP (ping), TCP and UDP. The goal of this filter is to discard all packets and only process ones that have a magic value in their header accompanied by a password. These packets are used by the attackers to open remote shells on the infected systems.

“The relevance of the BPF filter and packet capture is that it is sniffing traffic at a lower level than the local firewall,” the researchers explained. 

“This means that even if you run a firewall the implant will see, and act upon, any magic packet sent to the system. The firewall running on the local host will not block the implant from having this visibility. This is an important point to understand.”

What it means in practice is that if for example, the system firewall is configured to only allow connections to a web application running on the server on port 443 (HTTPS), for example, external attackers can use this to send a so-called magic packet and activate the backdoor without the firewall being able to block it. In other words, it piggybacks on legitimate network traffic that’s already allowed on the system.

Furthermore, when the encrypted magic packet is received the backdoor will open a root shell on a high port locally on the system and will use the iptables Linux firewall to set a rule that redirects all traffic originating from the attacker’s IP address to the shell port. 

So once the backdoor is activated, if the attackers connect again to the system over port 443, they will instead be greeted with a root shell instead of the web application. Requests from all other IP addresses and legitimate users will continue to be handled normally and be sent to the web application.

Instead of waiting for attackers to connect to the shell, the backdoor can also set up a reverse shell that actively connects back to the attackers, but this is more easily detected if the system is configured to block outgoing connections.

“The use of BPF and packet capture provides a way to bypass local firewalls to allow remote attackers to control the implant,” the researchers said. “Finally, the redirect feature is unique and very dangerous as it can make malicious traffic blend in seamlessly with legitimate traffic on an infected host with exposed ports to the internet.

How to detect BPFdoor

According to PwC’s report, the Red Menshen group uses a variety of post-exploitation tools for lateral movement inside corporate networks after gaining a foothold with BPFdoor. 

This includes custom variants of the Mangzamel and Gh0st Windows Trojan programs, as well as open-source tools such as Mimikatz and Metasploit. The attackers use virtual private servers hosted at well-known providers to control the BPFDoor implants and also rely on compromised routers in Taiwan to connect to and manage those servers.

Beaumont and researcher Florian Roth have both shared YARA rules that can be used to scan for different BPFDoor samples inside environments. The Sandfly Security researchers have also shared indicators of compromise and hunting tactics in their analysis warning that simply searching for file hashes is not reliable since malicious binaries can easily be recompiled and changed on Linux.

It’s also worth noting that the abuse of BPF, while rare, is not new. In February, a Chinese cybersecurity firm called Pangu Lab released a report on a backdoor implant they attributed to the U.S. National Security Agency (NSA) and dubbed Bvp47. 

That implant also relied on BPF to establish a covert communication channel. Beaumont warned at the time that the cybersecurity industry seemed to ignore the significance and potential dangers of BPF and eBPF (extended BPF) being used to evade detection.


1 killed, 9 injured in S-Oil refinery explosion

ULSAN/SEOUL, May 20 (Yonhap) — One person has been killed and nine others injured in an explosion at a refinery run by South Korean oil refiner S-Oil Corp. in the country’s southwest, firefighters said Friday. The deceased was a subcontractor who was among the 10 others doing repair work at ...

View more: 1 killed, 9 injured in S-Oil refinery explosion

Controlling stake in Arm China may shift to little-known entity as chip joint venture’s ownership saga drags on

Arm China, which has just ended a boardroom bust-up by ousting its former chairman, may end up in the hands of an entity that has little or no public profile, adding a layer of mystery to the British chip design firm’s joint venture. In a press release distributed to ...

View more: Controlling stake in Arm China may shift to little-known entity as chip joint venture’s ownership saga drags on

You can silence a Family’s Member iPhone Alarm with your own iPhone

Are you living in a family household, where everyone has a smartphone belonging to Apple’s iPhone ecosystem? This may not be common in some markets. However, it’s pretty much the standard in places where iPhones take the lead in the segment. In special, we have the US, Apple’s stronghold. If ...

View more: You can silence a Family’s Member iPhone Alarm with your own iPhone

Kia and Rafa Nadal launch ‘Kia Clubhouse’ initiative to inspire next generation of tennis fans

Global tennis experience aimed at making tennis more accessible Launch event in Paris gives local children skills and equipment to empower a lifelong love for the game Kia ambassador Rafa Nadal makes surprise appearance to inspire children The initiative will tour major cities around the world ahead of upcoming ...

View more: Kia and Rafa Nadal launch ‘Kia Clubhouse’ initiative to inspire next generation of tennis fans

Canada to ban Huawei and ZTE and tell telcos to rip out 5G and 4G equipment

While taking longer to ban Huawei and ZTE than some of the Five Eyes, Canada has also gone further by requiring telcos to rip out LTE equipment from the vendors by the start of 2028.

View more: Canada to ban Huawei and ZTE and tell telcos to rip out 5G and 4G equipment

Conti ransomware shuts down operation, rebrands into smaller units

The notorious Conti ransomware gang has officially shut down their operation, with infrastructure taken offline and team leaders told that the brand is no more. This news comes from Advanced Intel’s Yelisey Boguslavskiy, who tweeted this afternoon that the gang’s internal infrastructure was turned off. Boguslavskiy told BleepingComputer that ...

View more: Conti ransomware shuts down operation, rebrands into smaller units

Mastercard will soon allow you to pay with a smile

Apple’s Apple Pay arrived and in a certain way has started a change in the way we perform payments. The company presented a cashless wallet that allows its users to simply pay without much hassle and without the need of carrying dozens of credit cards in a pocket. We saw ...

View more: Mastercard will soon allow you to pay with a smile

Viral TikTok shows a new iPhone trick that Instagram fans will love

It never fails. I buy the latest iPhone, assume that purchase conveys some sort of power to turn me into an expert shutterbug by osmosis — thanks to the camera performance that improves with each of Apple’s successive handsets — and I go about snapping … mediocre photos. As ...

View more: Viral TikTok shows a new iPhone trick that Instagram fans will love

Thai, Japanese animation rooted in nationalism

New emergency warning over two new VMware vulnerabilities

Java concurrency could be about to get easier

Cisco problems: $15B backlog, China COVID worries, impact of war in Ukraine

Netgear fixes bad Orbi firmware update that locked admin console

Galaxy M13 5G support page goes live in the UK

Guitar that broke up Oasis sells for B14mn

It's gonna be all right, Taylor Swift tells NYU graduates

Why you should be using secure DNS on your Chromebook

Mihails Safro, Xpate Founder and CEO: The UX-Led Approach will Put your Business in The Top Tier Category

6 Solid Tips to Prevent You from Getting Hacked

Windows 365 Subscribers To Get Citrix HDX Option This Year


Top Car News Car News