The Discovery
Cybersecurity researchers have discovered a new controller component linked to the known backdoor BPFDoor, used in cyber attacks that targeted the telecommunications, finance, and retail sectors in South Korea, Hong Kong, Myanmar, Malaysia, and Egypt throughout 2024.
“The controller can open a reverse shell,” said Trend Micro researcher Fernando Mercês in a technical report published earlier this week. “This enables lateral movement, allowing attackers to penetrate deeper into compromised networks, take control of additional systems, and potentially access sensitive data.”
Researchers have attributed the campaign—with medium confidence—to the threat group Earth Bluecrow, also known as DecisiveArchitect, Red Dev 18, and Red Menshen. This level of confidence stems from the fact that the BPFDoor malware source code was leaked in 2022, meaning other hacking groups may have adopted it as well.
BPFDoor is a Linux backdoor that first came to public attention in 2022, although it had already been used for long-term espionage operations against entities in Asia and the Middle East at least a year prior.
One of the malware’s most distinctive traits is its ability to establish a persistent yet covert communication channel, enabling threat actors to control compromised systems and exfiltrate sensitive data over extended periods.
BPFDoor Malware
The malware derives its name from its use of the Berkeley Packet Filter (BPF), a technology that lets programs attach network filters to open sockets to inspect incoming packets and detect a specific Magic Byte sequence to trigger its activity.
“Because of how BPF functions in the targeted operating system, the magic packet activates the backdoor even when a firewall blocks it,” Mercês noted. “As the packet reaches the kernel’s BPF engine, it triggers the resident backdoor. While rootkits often exhibit this kind of behavior, it’s uncommon in traditional backdoors.”
Trend Micro’s latest analysis also revealed that the compromised Linux servers contained a previously undocumented controller. This component enables access to additional hosts in the same network once lateral movement has occurred.
“Before sending one of the ‘magic packets’ filtered by BPFDoor’s BPF module, the controller prompts its user for a password,” Mercês explained. “That password is also verified on the BPFDoor side.”
In the next step, the controller instructs the compromised machine to carry out one of the following actions, depending on the provided password and the command-line options used:
-
Open a reverse shell
-
Redirect new connections to a shell on a specified port
-
Verify that the backdoor remains active
Notably, the password sent by the controller must match one of the hard-coded values embedded in the BPFDoor sample. In addition to supporting TCP, UDP, and ICMP protocols to take control of infected hosts, the controller can also activate an optional encrypted mode to ensure secure communication.
Moreover, the controller features a direct mode, which allows attackers to connect directly to a compromised machine and obtain shell access—though only when the correct password is supplied.
“BPF opens a new window of unexplored possibilities for malware authors to exploit,” Mercês said. “As threat researchers, we must stay prepared for future developments by analyzing BPF code. This approach will strengthen our ability to defend organizations against BPF-powered threats.”
Source: TheHackerNews
