BPFDoor (Malware Family)

BPFDoor

aka: JustForFun

BPFDoor is a passive backdoor used by a China-based threat actor. This backdoor supports multiple protocols for communicating with a C2 including TCP, UDP, and ICMP allowing the threat actor a variety of mechanisms to interact with the implant.

References

2023-12-21 ⋅ Martin Clauß, Valentin Obst
BPF Memory Forensics with Volatility 3
BPFDoor TripleCross

2023-07-18 ⋅ Mandiant ⋅ Mandiant Intelligence
Stealth Mode: Chinese Cyber Espionage Actors Continue to Evolve Tactics to Avoid Detection
BPFDoor SALTWATER SEASPY SideWalk ZuoRAT Daxin HyperBro HyperSSL Waterbear

2023-07-13 ⋅ Trend Micro ⋅ Fernando Mercês
Detecting BPFDoor Backdoor Variants Abusing BPF Filters
BPFDoor Symbiote

2023-05-18 ⋅ Nikhil Hegde
Looking Closer at BPF Bytecode in BPFDoor
BPFDoor

2023-05-14 ⋅ unfinished.bike ⋅ Thomas Strömberg
Fun with the new bpfdoor (2023)
BPFDoor

2023-05-11 ⋅ Bleeping Computer ⋅ Bill Toulas
Stealthier version of Linux BPFDoor malware spotted in the wild
BPFDoor

2023-05-10 ⋅ Deep instinct ⋅ Deep Instinct Threat Lab
BPFDoor Malware Evolves – Stealthy Sniffing Backdoor Ups Its Game
BPFDoor

2022-08-01 ⋅ Qualys ⋅ Harshal Tupsamudre
Here’s a Simple Script to Detect the Stealthy Nation-State BPFDoor
BPFDoor

2022-05-25 ⋅ CrowdStrike ⋅ Jamie Harris
Hunting a Global Telecommunications Threat: DecisiveArchitect and Its Custom Implant JustForFun
BPFDoor

2022-05-17 ⋅ Elastic ⋅ Alex Bell, Colson Wilhoit, Jake King, Rhys Rustad-Elliott
A peek behind the BPFDoor
BPFDoor

2022-05-11 ⋅ ExaTrack ⋅ Tristan Pourcelot
Tricephalic Hellkeeper: a tale of a passive backdoor
BPFDoor Bvp47 Uroburos

2022-05-11 ⋅ Sandfly Security ⋅ The Sandfly Security Team
BPFDoor - An Evasive Linux Backdoor Technical Analysis
BPFDoor

2022-05-08 ⋅ Twitter (@CraigHRowland) ⋅ Craig Rowland
Twitter Thread with description of functionality for BPFDoor
BPFDoor

2022-05-08 ⋅ Twitter (@cyb3rops) ⋅ Florian Roth
Tweet on source code for BPFDoor found on VT
BPFDoor

2022-05-07 ⋅ DoublePulsar ⋅ Kevin Beaumont
BPFDoor — an active Chinese global surveillance tool
BPFDoor

2022-05-05 ⋅ Troopers Conference ⋅ Ben Jackson, Will Bonner
Tinker Telco Soldier Spy (to be given 2022-06-27)
BPFDoor GALLIUM

2022-04-28 ⋅ PWC ⋅ PWC UK
Cyber Threats 2021: A Year in Retrospect
BPFDoor APT15 APT31 APT41 APT9 BlackTech BRONZE EDGEWOOD DAGGER PANDA Earth Lusca HAFNIUM HAZY TIGER Inception Framework LOTUS PANDA QUILTED TIGER RedAlpha Red Dev 17 Red Menshen Red Nue VICEROY TIGER

Yara Rules

[TLP:WHITE] elf_bpfdoor_w0 (20220509 \| Detects unknown Linux implants (uploads from KR and MO)) rule elf_bpfdoor_w0 { meta: description = "Detects unknown Linux implants (uploads from KR and MO)" author = "Florian Roth" reference = "https://twitter.com/jcksnsec/status/1522163033585467393" date = "2022-05-05" score = 90 hash1 = "07ecb1f2d9ffbd20a46cd36cd06b022db3cc8e45b1ecab62cd11f9ca7a26ab6d" hash2 = "4c5cf8f977fc7c368a8e095700a44be36c8332462c0b1e41bff03238b2bf2a2d" hash3 = "599ae527f10ddb4625687748b7d3734ee51673b664f2e5d0346e64f85e185683" hash4 = "5b2a079690efb5f4e0944353dd883303ffd6bab4aad1f0c88b49a76ddcb28ee9" hash5 = "5faab159397964e630c4156f8852bcc6ee46df1cdd8be2a8d3f3d8e5980f3bb3" hash6 = "93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c" hash7 = "97a546c7d08ad34dfab74c9c8a96986c54768c592a8dae521ddcf612a84fb8cc" hash8 = "c796fc66b655f6107eacbe78a37f0e8a2926f01fecebd9e68a66f0e261f91276" hash9 = "f8a5e735d6e79eb587954a371515a82a15883cf2eda9d7ddb8938b86e714ea27" hash10 = "fd1b20ee5bd429046d3c04e9c675c41e9095bea70e0329bd32d7edd17ebaf68a" version = "1" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.bpfdoor" malpedia_rule_date = "20220509" malpedia_hash = "" malpedia_version = "20220509" malpedia_sharing = "TLP:WHITE" strings: $s1 = "[-] Connect failed." ascii fullword $s2 = "export MYSQL_HISTFILE=" ascii fullword $s3 = "udpcmd" ascii fullword $s4 = "getshell" ascii fullword $op1 = { e8 ?? ff ff ff 80 45 ee 01 0f b6 45 ee 3b 45 d4 7c 04 c6 45 ee 00 80 45 ff 01 80 7d ff 00 } $op2 = { 55 48 89 e5 48 83 ec 30 89 7d ec 48 89 75 e0 89 55 dc 83 7d dc 00 75 0? } $op3 = { e8 a? fe ff ff 0f b6 45 f6 48 03 45 e8 0f b6 10 0f b6 45 f7 48 03 45 e8 0f b6 00 8d 04 02 } $op4 = { c6 80 01 01 00 00 00 48 8b 45 c8 0f b6 90 01 01 00 00 48 8b 45 c8 88 90 00 01 00 00 c6 45 ef 00 0f b6 45 ef 88 45 ee } condition: uint16(0) == 0x457f and filesize < 80KB and 2 of them or 5 of them }
[TLP:WHITE] elf_bpfdoor_w1 (20220509 \| Detects BPFDoor implants used by Chinese actor Red Menshen) rule elf_bpfdoor_w1 { meta: description = "Detects BPFDoor implants used by Chinese actor Red Menshen" author = "Florian Roth" reference = "https://twitter.com/jcksnsec/status/1522163033585467393" date = "2022-05-07" score = 85 hash1 = "76bf736b25d5c9aaf6a84edd4e615796fffc338a893b49c120c0b4941ce37925" hash2 = "96e906128095dead57fdc9ce8688bb889166b67c9a1b8fdb93d7cff7f3836bb9" hash3 = "c80bd1c4a796b4d3944a097e96f384c85687daeedcdcf05cc885c8c9b279b09c" hash4 = "f47de978da1dbfc5e0f195745e3368d3ceef034e964817c66ba01396a1953d72" version = "1" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.bpfdoor" malpedia_rule_date = "20220509" malpedia_hash = "" malpedia_version = "20220509" malpedia_sharing = "TLP:WHITE" strings: $opx1 = { 48 83 c0 0c 48 8b 95 e8 fe ff ff 48 83 c2 0c 8b 0a 8b 55 f0 01 ca 89 10 c9 } $opx2 = { 48 01 45 e0 83 45 f4 01 8b 45 f4 3b 45 dc 7c cd c7 45 f4 00 00 00 00 eb 2? 48 8b 05 ?? ?? 20 00 } $op1 = { 48 8d 14 c5 00 00 00 00 48 8b 45 d0 48 01 d0 48 8b 00 48 89 c7 e8 ?? ?? ff ff 48 83 c0 01 48 01 45 e0 } $op2 = { 89 c2 8b 85 fc fe ff ff 01 c2 8b 45 f4 01 d0 2d 7b cf 10 2b 89 45 f4 c1 4d f4 10 } $op3 = { e8 ?? d? ff ff 8b 45 f0 eb 12 8b 85 3c ff ff ff 89 c7 e8 ?? d? ff ff b8 ff ff ff ff c9 } condition: uint16(0) == 0x457f and filesize < 100KB and 2 of ($opx*) or 4 of them }
[TLP:WHITE] elf_bpfdoor_w2 (20220509 \| Detects BPFDoor implants used by Chinese actor Red Menshen) rule elf_bpfdoor_w2 { meta: description = "Detects BPFDoor implants used by Chinese actor Red Menshen" author = "Florian Roth" reference = "https://twitter.com/jcksnsec/status/1522163033585467393" date = "2022-05-08" score = 85 hash1 = "144526d30ae747982079d5d340d1ff116a7963aba2e3ed589e7ebc297ba0c1b3" hash2 = "fa0defdabd9fd43fe2ef1ec33574ea1af1290bd3d763fdb2bed443f2bd996d73" version = "1" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.bpfdoor" malpedia_rule_date = "20220509" malpedia_hash = "" malpedia_version = "20220509" malpedia_sharing = "TLP:WHITE" strings: $s1 = "hald-addon-acpi: listening on acpi kernel interface /proc/acpi/event" ascii fullword $s2 = "/sbin/mingetty /dev" ascii fullword $s3 = "pickup -l -t fifo -u" ascii fullword condition: uint16(0) == 0x457f and filesize < 200KB and 2 of them or all of them }
[TLP:WHITE] elf_bpfdoor_w3 (20230515 \| Detects BPFDoor, new 2023 variant) rule elf_bpfdoor_w3 { meta: description = "Detects BPFDoor, new 2023 variant" author = "Sorint.lab" creation_date = "2023-05-15" last_modified = "2023-05-15" reference_sample = "afa8a32ec29a31f152ba20a30eb483520fe50f2dce6c9aa9135d88f7c9c511d7" severity = 100 scan_context = "file, memory" os = "linux" notes = "https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.bpfdoor" malpedia_version = "20230515" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" malpedia_rule_date = "20230515" malpedia_hash = "" strings: // BPF Code detected in the executable $op1 = { 28 00 00 00 0C 00 00 00 15 00 00 09 DD 86 00 00 } $op2 = { 15 00 11 10 BB 01 00 00 15 00 00 11 00 08 00 00 } // Magic number 0x4430CD9F $op3 = { 9F CD 30 44 } condition: uint16(0) == 0x457f and all of them }

Download all Yara Rules

[TLP:WHITE] elf_bpfdoor_w0 (20220509 \| Detects unknown Linux implants (uploads from KR and MO)) rule elf_bpfdoor_w0 { meta: description = "Detects unknown Linux implants (uploads from KR and MO)" author = "Florian Roth" reference = "https://twitter.com/jcksnsec/status/1522163033585467393" date = "2022-05-05" score = 90 hash1 = "07ecb1f2d9ffbd20a46cd36cd06b022db3cc8e45b1ecab62cd11f9ca7a26ab6d" hash2 = "4c5cf8f977fc7c368a8e095700a44be36c8332462c0b1e41bff03238b2bf2a2d" hash3 = "599ae527f10ddb4625687748b7d3734ee51673b664f2e5d0346e64f85e185683" hash4 = "5b2a079690efb5f4e0944353dd883303ffd6bab4aad1f0c88b49a76ddcb28ee9" hash5 = "5faab159397964e630c4156f8852bcc6ee46df1cdd8be2a8d3f3d8e5980f3bb3" hash6 = "93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c" hash7 = "97a546c7d08ad34dfab74c9c8a96986c54768c592a8dae521ddcf612a84fb8cc" hash8 = "c796fc66b655f6107eacbe78a37f0e8a2926f01fecebd9e68a66f0e261f91276" hash9 = "f8a5e735d6e79eb587954a371515a82a15883cf2eda9d7ddb8938b86e714ea27" hash10 = "fd1b20ee5bd429046d3c04e9c675c41e9095bea70e0329bd32d7edd17ebaf68a" version = "1" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.bpfdoor" malpedia_rule_date = "20220509" malpedia_hash = "" malpedia_version = "20220509" malpedia_sharing = "TLP:WHITE" strings: $s1 = "[-] Connect failed." ascii fullword $s2 = "export MYSQL_HISTFILE=" ascii fullword $s3 = "udpcmd" ascii fullword $s4 = "getshell" ascii fullword $op1 = { e8 ?? ff ff ff 80 45 ee 01 0f b6 45 ee 3b 45 d4 7c 04 c6 45 ee 00 80 45 ff 01 80 7d ff 00 } $op2 = { 55 48 89 e5 48 83 ec 30 89 7d ec 48 89 75 e0 89 55 dc 83 7d dc 00 75 0? } $op3 = { e8 a? fe ff ff 0f b6 45 f6 48 03 45 e8 0f b6 10 0f b6 45 f7 48 03 45 e8 0f b6 00 8d 04 02 } $op4 = { c6 80 01 01 00 00 00 48 8b 45 c8 0f b6 90 01 01 00 00 48 8b 45 c8 88 90 00 01 00 00 c6 45 ef 00 0f b6 45 ef 88 45 ee } condition: uint16(0) == 0x457f and filesize < 80KB and 2 of them or 5 of them }
[TLP:WHITE] elf_bpfdoor_w1 (20220509 \| Detects BPFDoor implants used by Chinese actor Red Menshen) rule elf_bpfdoor_w1 { meta: description = "Detects BPFDoor implants used by Chinese actor Red Menshen" author = "Florian Roth" reference = "https://twitter.com/jcksnsec/status/1522163033585467393" date = "2022-05-07" score = 85 hash1 = "76bf736b25d5c9aaf6a84edd4e615796fffc338a893b49c120c0b4941ce37925" hash2 = "96e906128095dead57fdc9ce8688bb889166b67c9a1b8fdb93d7cff7f3836bb9" hash3 = "c80bd1c4a796b4d3944a097e96f384c85687daeedcdcf05cc885c8c9b279b09c" hash4 = "f47de978da1dbfc5e0f195745e3368d3ceef034e964817c66ba01396a1953d72" version = "1" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.bpfdoor" malpedia_rule_date = "20220509" malpedia_hash = "" malpedia_version = "20220509" malpedia_sharing = "TLP:WHITE" strings: $opx1 = { 48 83 c0 0c 48 8b 95 e8 fe ff ff 48 83 c2 0c 8b 0a 8b 55 f0 01 ca 89 10 c9 } $opx2 = { 48 01 45 e0 83 45 f4 01 8b 45 f4 3b 45 dc 7c cd c7 45 f4 00 00 00 00 eb 2? 48 8b 05 ?? ?? 20 00 } $op1 = { 48 8d 14 c5 00 00 00 00 48 8b 45 d0 48 01 d0 48 8b 00 48 89 c7 e8 ?? ?? ff ff 48 83 c0 01 48 01 45 e0 } $op2 = { 89 c2 8b 85 fc fe ff ff 01 c2 8b 45 f4 01 d0 2d 7b cf 10 2b 89 45 f4 c1 4d f4 10 } $op3 = { e8 ?? d? ff ff 8b 45 f0 eb 12 8b 85 3c ff ff ff 89 c7 e8 ?? d? ff ff b8 ff ff ff ff c9 } condition: uint16(0) == 0x457f and filesize < 100KB and 2 of ($opx*) or 4 of them }
[TLP:WHITE] elf_bpfdoor_w2 (20220509 \| Detects BPFDoor implants used by Chinese actor Red Menshen) rule elf_bpfdoor_w2 { meta: description = "Detects BPFDoor implants used by Chinese actor Red Menshen" author = "Florian Roth" reference = "https://twitter.com/jcksnsec/status/1522163033585467393" date = "2022-05-08" score = 85 hash1 = "144526d30ae747982079d5d340d1ff116a7963aba2e3ed589e7ebc297ba0c1b3" hash2 = "fa0defdabd9fd43fe2ef1ec33574ea1af1290bd3d763fdb2bed443f2bd996d73" version = "1" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.bpfdoor" malpedia_rule_date = "20220509" malpedia_hash = "" malpedia_version = "20220509" malpedia_sharing = "TLP:WHITE" strings: $s1 = "hald-addon-acpi: listening on acpi kernel interface /proc/acpi/event" ascii fullword $s2 = "/sbin/mingetty /dev" ascii fullword $s3 = "pickup -l -t fifo -u" ascii fullword condition: uint16(0) == 0x457f and filesize < 200KB and 2 of them or all of them }
[TLP:WHITE] elf_bpfdoor_w3 (20230515 \| Detects BPFDoor, new 2023 variant) rule elf_bpfdoor_w3 { meta: description = "Detects BPFDoor, new 2023 variant" author = "Sorint.lab" creation_date = "2023-05-15" last_modified = "2023-05-15" reference_sample = "afa8a32ec29a31f152ba20a30eb483520fe50f2dce6c9aa9135d88f7c9c511d7" severity = 100 scan_context = "file, memory" os = "linux" notes = "https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.bpfdoor" malpedia_version = "20230515" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" malpedia_rule_date = "20230515" malpedia_hash = "" strings: // BPF Code detected in the executable $op1 = { 28 00 00 00 0C 00 00 00 15 00 00 09 DD 86 00 00 } $op2 = { 15 00 11 10 BB 01 00 00 15 00 00 11 00 08 00 00 } // Magic number 0x4430CD9F $op3 = { 9F CD 30 44 } condition: uint16(0) == 0x457f and all of them }

BPFDoor Propose Change

References

Yara Rules

BPFDoor