SYMBOLCOMMON_NAMEaka. SYNONYMS
elf.bpfdoor (Back to overview)

BPFDoor

aka: JustForFun

Actor(s): Red Menshen


BPFDoor is a passive backdoor used by a China-based threat actor. This backdoor supports multiple protocols for communicating with a C2 including TCP, UDP, and ICMP allowing the threat actor a variety of mechanisms to interact with the implant.

References
2023-12-21Martin Clauß, Valentin Obst
BPF Memory Forensics with Volatility 3
BPFDoor TripleCross
2023-07-18MandiantMandiant Intelligence
Stealth Mode: Chinese Cyber Espionage Actors Continue to Evolve Tactics to Avoid Detection
BPFDoor SALTWATER SEASPY SideWalk ZuoRAT Daxin HyperBro HyperSSL Waterbear
2023-07-13Trend MicroFernando Mercês
Detecting BPFDoor Backdoor Variants Abusing BPF Filters
BPFDoor Symbiote
2023-05-18Nikhil Hegde
Looking Closer at BPF Bytecode in BPFDoor
BPFDoor
2023-05-14unfinished.bikeThomas Strömberg
Fun with the new bpfdoor (2023)
BPFDoor
2023-05-11Bleeping ComputerBill Toulas
Stealthier version of Linux BPFDoor malware spotted in the wild
BPFDoor
2023-05-10Deep instinctDeep Instinct Threat Lab
BPFDoor Malware Evolves – Stealthy Sniffing Backdoor Ups Its Game
BPFDoor
2022-08-01QualysHarshal Tupsamudre
Here’s a Simple Script to Detect the Stealthy Nation-State BPFDoor
BPFDoor
2022-05-25CrowdStrikeJamie Harris
Hunting a Global Telecommunications Threat: DecisiveArchitect and Its Custom Implant JustForFun
BPFDoor
2022-05-17ElasticAlex Bell, Colson Wilhoit, Jake King, Rhys Rustad-Elliott
A peek behind the BPFDoor
BPFDoor
2022-05-11ExaTrackTristan Pourcelot
Tricephalic Hellkeeper: a tale of a passive backdoor
BPFDoor Bvp47 Uroburos
2022-05-11Sandfly SecurityThe Sandfly Security Team
BPFDoor - An Evasive Linux Backdoor Technical Analysis
BPFDoor
2022-05-08Twitter (@CraigHRowland)Craig Rowland
Twitter Thread with description of functionality for BPFDoor
BPFDoor
2022-05-08Twitter (@cyb3rops)Florian Roth
Tweet on source code for BPFDoor found on VT
BPFDoor
2022-05-07DoublePulsarKevin Beaumont
BPFDoor — an active Chinese global surveillance tool
BPFDoor
2022-05-05Troopers ConferenceBen Jackson, Will Bonner
Tinker Telco Soldier Spy (to be given 2022-06-27)
BPFDoor GALLIUM
2022-04-28PWCPWC UK
Cyber Threats 2021: A Year in Retrospect
BPFDoor APT15 APT31 APT41 APT9 BlackTech BRONZE EDGEWOOD DAGGER PANDA Earth Lusca HAFNIUM HAZY TIGER Inception Framework LOTUS PANDA QUILTED TIGER RedAlpha Red Dev 17 Red Menshen Red Nue VICEROY TIGER
Yara Rules
[TLP:WHITE] elf_bpfdoor_w0 (20220509 | Detects unknown Linux implants (uploads from KR and MO))
rule elf_bpfdoor_w0 {
    meta:
        description = "Detects unknown Linux implants (uploads from KR and MO)"
        author = "Florian Roth"
        reference = "https://twitter.com/jcksnsec/status/1522163033585467393"
        date = "2022-05-05"
        score = 90
        hash1 = "07ecb1f2d9ffbd20a46cd36cd06b022db3cc8e45b1ecab62cd11f9ca7a26ab6d"
        hash2 = "4c5cf8f977fc7c368a8e095700a44be36c8332462c0b1e41bff03238b2bf2a2d"
        hash3 = "599ae527f10ddb4625687748b7d3734ee51673b664f2e5d0346e64f85e185683"
        hash4 = "5b2a079690efb5f4e0944353dd883303ffd6bab4aad1f0c88b49a76ddcb28ee9"
        hash5 = "5faab159397964e630c4156f8852bcc6ee46df1cdd8be2a8d3f3d8e5980f3bb3"
        hash6 = "93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c"
        hash7 = "97a546c7d08ad34dfab74c9c8a96986c54768c592a8dae521ddcf612a84fb8cc"
        hash8 = "c796fc66b655f6107eacbe78a37f0e8a2926f01fecebd9e68a66f0e261f91276"
        hash9 = "f8a5e735d6e79eb587954a371515a82a15883cf2eda9d7ddb8938b86e714ea27"
        hash10 = "fd1b20ee5bd429046d3c04e9c675c41e9095bea70e0329bd32d7edd17ebaf68a"
        version = "1"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.bpfdoor"
        malpedia_rule_date = "20220509"
        malpedia_hash = ""
        malpedia_version = "20220509"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s1 = "[-] Connect failed." ascii fullword
        $s2 = "export MYSQL_HISTFILE=" ascii fullword
        $s3 = "udpcmd" ascii fullword
        $s4 = "getshell" ascii fullword

        $op1 = { e8 ?? ff ff ff 80 45 ee 01 0f b6 45 ee 3b 45 d4 7c 04 c6 45 ee 00 80 45 ff 01 80 7d ff 00 }
        $op2 = { 55 48 89 e5 48 83 ec 30 89 7d ec 48 89 75 e0 89 55 dc 83 7d dc 00 75 0? }
        $op3 = { e8 a? fe ff ff 0f b6 45 f6 48 03 45 e8 0f b6 10 0f b6 45 f7 48 03 45 e8 0f b6 00 8d 04 02 }
        $op4 = { c6 80 01 01 00 00 00 48 8b 45 c8 0f b6 90 01 01 00 00 48 8b 45 c8 88 90 00 01 00 00 c6 45 ef 00 0f b6 45 ef 88 45 ee }
    condition:
        uint16(0) == 0x457f and
        filesize < 80KB and 2 of them or 5 of them
}
[TLP:WHITE] elf_bpfdoor_w1 (20220509 | Detects BPFDoor implants used by Chinese actor Red Menshen)
rule elf_bpfdoor_w1 {
    meta:
        description = "Detects BPFDoor implants used by Chinese actor Red Menshen"
        author = "Florian Roth"
        reference = "https://twitter.com/jcksnsec/status/1522163033585467393"
        date = "2022-05-07"
        score = 85
        hash1 = "76bf736b25d5c9aaf6a84edd4e615796fffc338a893b49c120c0b4941ce37925"
        hash2 = "96e906128095dead57fdc9ce8688bb889166b67c9a1b8fdb93d7cff7f3836bb9"
        hash3 = "c80bd1c4a796b4d3944a097e96f384c85687daeedcdcf05cc885c8c9b279b09c"
        hash4 = "f47de978da1dbfc5e0f195745e3368d3ceef034e964817c66ba01396a1953d72"
        version = "1"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.bpfdoor"
        malpedia_rule_date = "20220509"
        malpedia_hash = ""
        malpedia_version = "20220509"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $opx1 = { 48 83 c0 0c 48 8b 95 e8 fe ff ff 48 83 c2 0c 8b 0a 8b 55 f0 01 ca 89 10 c9 }
        $opx2 = { 48 01 45 e0 83 45 f4 01 8b 45 f4 3b 45 dc 7c cd c7 45 f4 00 00 00 00 eb 2? 48 8b 05 ?? ?? 20 00 }

        $op1 = { 48 8d 14 c5 00 00 00 00 48 8b 45 d0 48 01 d0 48 8b 00 48 89 c7 e8 ?? ?? ff ff 48 83 c0 01 48 01 45 e0 }
        $op2 = { 89 c2 8b 85 fc fe ff ff 01 c2 8b 45 f4 01 d0 2d 7b cf 10 2b 89 45 f4 c1 4d f4 10 }
        $op3 = { e8 ?? d? ff ff 8b 45 f0 eb 12 8b 85 3c ff ff ff 89 c7 e8 ?? d? ff ff b8 ff ff ff ff c9 }
    condition:
        uint16(0) == 0x457f and
        filesize < 100KB and 2 of ($opx*) or 4 of them
}
[TLP:WHITE] elf_bpfdoor_w2 (20220509 | Detects BPFDoor implants used by Chinese actor Red Menshen)
rule elf_bpfdoor_w2 {
    meta:
        description = "Detects BPFDoor implants used by Chinese actor Red Menshen"
        author = "Florian Roth"
        reference = "https://twitter.com/jcksnsec/status/1522163033585467393"
        date = "2022-05-08"
        score = 85
        hash1 = "144526d30ae747982079d5d340d1ff116a7963aba2e3ed589e7ebc297ba0c1b3"
        hash2 = "fa0defdabd9fd43fe2ef1ec33574ea1af1290bd3d763fdb2bed443f2bd996d73"
        version = "1"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.bpfdoor"
        malpedia_rule_date = "20220509"
        malpedia_hash = ""
        malpedia_version = "20220509"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s1 = "hald-addon-acpi: listening on acpi kernel interface /proc/acpi/event" ascii fullword
        $s2 = "/sbin/mingetty /dev" ascii fullword
        $s3 = "pickup -l -t fifo -u" ascii fullword
    condition:
        uint16(0) == 0x457f and
        filesize < 200KB and 2 of them or all of them
}
[TLP:WHITE] elf_bpfdoor_w3 (20230515 | Detects BPFDoor, new 2023 variant)
rule elf_bpfdoor_w3 {
    meta:
        description = "Detects BPFDoor, new 2023 variant"
        author = "Sorint.lab"
        creation_date = "2023-05-15"
        last_modified = "2023-05-15"
        reference_sample = "afa8a32ec29a31f152ba20a30eb483520fe50f2dce6c9aa9135d88f7c9c511d7"
        severity = 100
        scan_context = "file, memory"
        os = "linux"
        notes = "https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.bpfdoor"
        malpedia_version = "20230515"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
        malpedia_rule_date = "20230515"
        malpedia_hash = ""
    strings:
        // BPF Code detected in the executable
        $op1 = { 28 00 00 00 0C 00 00 00 15 00 00 09 DD 86 00 00 }
        $op2 = { 15 00 11 10 BB 01 00 00 15 00 00 11 00 08 00 00 }
        // Magic number 0x4430CD9F
        $op3 = { 9F CD 30 44 }
    condition:
        uint16(0) == 0x457f and all of them
}
Download all Yara Rules