APTs Red Menshen expands targets to Linux and cloud servers, as seen in ransomware attacks on VMware ESXi, Mirai botnet variations, and cloud-focused stealers and crypto miners.
APT groups extend focus beyond Windows, signified by Sandworm’s attacks on Linux-based routers. Unlike cybercrime malware with broad targets, APT malware prioritizes persistent stealth and routine maintenance.
Red Menshen, an APT group active in the Middle East and Asia, continuously enhances the BPFDoor backdoor, utilizing Berkeley Packet Filter (BPF) to evade Linux and Solaris OS firewalls.
Cybersecurity researchers at Trend Micro identify the Linux and Solaris variants as Backdoor.Linux.BPFDOOR and Backdoor.Solaris.BPFDOOR.ZAJE, respectively, with added monitoring and detection patterns.
Red Menshen advances BPF filters, increasing instructions six-fold, indicating active development and successful deployment of BPFDoor.
The intriguing technical aspect of BPFDoor lies in its kernel-level loading of packet filters, commonly known as BPF or LSF in Linux, representing the same underlying technology.
BPFDoor’s BPF filters enable backdoor activation with a single network packet, bypassing firewalls by leveraging the kernel’s BPF engine, and this rootkit-like capability sets it apart from typical backdoors.
BPFDoor variants employ classic BPF filters, with Linux samples using SO_ATTACH_FILTER and Solaris samples utilizing libpcap functions for runtime filter loading.
When a packet with the magic number arrives, BPFDoor connects back to the source IP, establishing a distinct identifier-based communication.
A privileged reverse shell is established by BPFDoor, enabling remote command execution by the attacker through a pipe connection to the infected machine’s shell.
The samples of BPFDoor across 2018-2022 feature a uniform BPF program accepting unique magic numbers for the following protocols:-
The BPF program in these samples comprises 30 instructions, which measure the filter’s complexity, reads the report shared.
On the affected systems, there are three distinct packets that trigger the activation of the backdoor, and here below, we have mentioned them:-
Experts identified four telfhash-supported samples introducing a 4-byte magic number for TCP packets, resulting in a new BPF program with 39 instructions.
In 2023, three samples utilized an enhanced BPF program with 229 instructions, specifically validating ICMP packets as ICMP ECHO requests.
Here below, we have mentioned the countries targeted using BPFDoor:-
Here below, we have mentioned the industries targeted using BPFDoor:-
Incorporating BPF bytecode into malware poses a new complicated hurdle for security experts. So, the BPFDoor’s evolving filters indicate threat actors’ efforts to enhance stealth and evade detection.
Updating rules and diving into BPF filter analysis promptly is advised for network defenders and malware analysts.
The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS devices.…
White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch Experts…
Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan exploits…
The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on organizations…
Google has updated its Chrome browser, addressing critical vulnerabilities that posed potential risks to millions…
WrnRAT is a new malware attack that cybercriminals have deployed by using popular gambling games…