Researchers at PwC Threat Intelligence have documented the discovery of BPFDoor, a passive network implant attributed to Red Menshen, a Chinese threat group. BPFDoor presents a novel method of receiving instructions and executing code on infected hosts. Unlike many implants, BPFDoor does not open any ports, nor does it perform outbound Command and Control operations (C2). In addition, it performs process name masquerading to achieve a high level of evasion and employs Berkeley Packet Filtering (BPF) in order to filter packets on legitimate ports for ‘magic bytes’ that activate the implant. This method of packet filtering lends itself well to stealthy operations not only because of the lack port opening, but also the very low CPU overhead required to do the filtering.
Independent researcher Kevin Beaumont also found that this implant has been active in organizations around the globe since at least 2021, though early versions of the source code have been discovered and suggest the existence of this implant many years earlier. He also states that “Inside those organizations I believe it is likely present on thousands of systems. The implant appears to be for surveillance purposes.”
Analyst Notes
There has been much discussion and collaboration on methods of detecting BPFDoor among the Information Security community. Notably, detection engineers Florian Roth and Kevin Beaumont have provided some well-engineered YARA rules for detecting common patterns in the BPFDoor implant. Another method of detection revolves around checking for unusual files in the /dev/shm directory, such as /dev/shm/kdmtmpflush. Finally, Kevin Beaumont has amassed an expansive collection of hashes and Indicators of Compromise (IOC) on VirusTotal. These detection resources are linked below.
https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896
https://www.virustotal.com/gui/collection/dd82ee900dd15a5d6205d7aeb8a0c9d60e1b3c93c678cfd7a8fa7be444afefe7/iocs
https://github.com/GossiTheDog/ThreatHunting/blob/master/YARA/BPFDoor-Unknown.yar
https://github.com/Neo23x0/signature-base/blob/master/yara/mal_lnx_implant_may22.yar
https://pastebin.com/kmmJuuQP
