Chinese Hackers Exploit Linux Systems Worldwide with BPFDoor Backdoor
A sophisticated cyber threat, BPFDoor, has been discovered exploiting Linux systems worldwide. This backdoor, attributed to the Chinese threat actor group Red Menshen since 2018, uses custom techniques to evade security solutions and gain complete access to compromised devices.
BPFDoor employs Berkeley Packet Filters (BPF) along with other tactics to achieve its goals. It supports multiple protocols for communication with command & control servers, including TCP, UDP, and ICMP. The implant creates a zero-byte PID file at /var/run/haldrund.pid to track its running state. Systems across the US, South Korea, Hong Kong, Turkey, India, Vietnam, and Myanmar have been compromised, targeting sectors such as telecommunications, government, education, and logistics.
The group has been observed sending commands via Virtual Private Servers (VPS) hosted at a well-known provider. Qualys Multi-Vector EDR can detect BPFDoor with a threat score of 5/10 using YARA scanning techniques. Additionally, Qualys Custom Assessment and Remediation can identify the backdoor by looking for packet sniffing processes and checking for raw sockets.
BPFDoor, a Linux/Unix backdoor, poses a significant threat to organizations globally. Its custom implant, 'JustForFun', masquerades its process name to evade security solutions. As BPFDoor continues to evolve, it's crucial for system administrators to stay vigilant and employ robust security measures to protect their networks.
