SYMBOLCOMMON_NAMEaka. SYNONYMS
elf.bpfdoor (Back to overview)

BPFDoor

aka: JustForFun

Actor(s): Red Menshen


BPFDoor is a passive backdoor used by a China-based threat actor. This backdoor supports multiple protocols for communicating with a C2 including TCP, UDP, and ICMP allowing the threat actor a variety of mechanisms to interact with the implant.

References
2023-07-18MandiantMandiant Intelligence
@online{intelligence:20230718:stealth:789e8b1, author = {Mandiant Intelligence}, title = {{Stealth Mode: Chinese Cyber Espionage Actors Continue to Evolve Tactics to Avoid Detection}}, date = {2023-07-18}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/chinese-espionage-tactics}, language = {English}, urldate = {2023-07-19} } Stealth Mode: Chinese Cyber Espionage Actors Continue to Evolve Tactics to Avoid Detection
BPFDoor SALTWATER SEASPY SideWalk ZuoRAT Daxin HyperBro HyperSSL Waterbear
2023-07-13Trend MicroFernando Mercês
@online{mercs:20230713:detecting:41237c5, author = {Fernando Mercês}, title = {{Detecting BPFDoor Backdoor Variants Abusing BPF Filters}}, date = {2023-07-13}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/23/g/detecting-bpfdoor-backdoor-variants-abusing-bpf-filters.html}, language = {English}, urldate = {2023-07-16} } Detecting BPFDoor Backdoor Variants Abusing BPF Filters
BPFDoor Symbiote
2023-05-18Nikhil Hegde
@online{hegde:20230518:looking:24677ca, author = {Nikhil Hegde}, title = {{Looking Closer at BPF Bytecode in BPFDoor}}, date = {2023-05-18}, url = {https://nikhilh-20.github.io/blog/cbpf_bpfdoor/}, language = {English}, urldate = {2023-05-21} } Looking Closer at BPF Bytecode in BPFDoor
BPFDoor
2023-05-14unfinished.bikeThomas Strömberg
@online{strmberg:20230514:fun:778ad3b, author = {Thomas Strömberg}, title = {{Fun with the new bpfdoor (2023)}}, date = {2023-05-14}, organization = {unfinished.bike}, url = {https://unfinished.bike/fun-with-the-new-bpfdoor-2023}, language = {English}, urldate = {2023-05-24} } Fun with the new bpfdoor (2023)
BPFDoor
2023-05-11Bleeping ComputerBill Toulas
@online{toulas:20230511:stealthier:8a10017, author = {Bill Toulas}, title = {{Stealthier version of Linux BPFDoor malware spotted in the wild}}, date = {2023-05-11}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/stealthier-version-of-linux-bpfdoor-malware-spotted-in-the-wild/}, language = {English}, urldate = {2023-05-15} } Stealthier version of Linux BPFDoor malware spotted in the wild
BPFDoor
2023-05-10Deep instinctDeep Instinct Threat Lab
@online{lab:20230510:bpfdoor:d22b474, author = {Deep Instinct Threat Lab}, title = {{BPFDoor Malware Evolves – Stealthy Sniffing Backdoor Ups Its Game}}, date = {2023-05-10}, organization = {Deep instinct}, url = {https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game}, language = {English}, urldate = {2023-05-11} } BPFDoor Malware Evolves – Stealthy Sniffing Backdoor Ups Its Game
BPFDoor
2022-08-01QualysHarshal Tupsamudre
@online{tupsamudre:20220801:heres:5d6e628, author = {Harshal Tupsamudre}, title = {{Here’s a Simple Script to Detect the Stealthy Nation-State BPFDoor}}, date = {2022-08-01}, organization = {Qualys}, url = {https://blog.qualys.com/vulnerabilities-threat-research/2022/08/01/heres-a-simple-script-to-detect-the-stealthy-nation-state-bpfdoor}, language = {English}, urldate = {2022-08-02} } Here’s a Simple Script to Detect the Stealthy Nation-State BPFDoor
BPFDoor
2022-05-25CrowdStrikeJamie Harris
@online{harris:20220525:hunting:48d53ea, author = {Jamie Harris}, title = {{Hunting a Global Telecommunications Threat: DecisiveArchitect and Its Custom Implant JustForFun}}, date = {2022-05-25}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/}, language = {English}, urldate = {2022-05-29} } Hunting a Global Telecommunications Threat: DecisiveArchitect and Its Custom Implant JustForFun
BPFDoor
2022-05-17ElasticColson Wilhoit, Alex Bell, Rhys Rustad-Elliott, Jake King
@online{wilhoit:20220517:peek:fea1eeb, author = {Colson Wilhoit and Alex Bell and Rhys Rustad-Elliott and Jake King}, title = {{A peek behind the BPFDoor}}, date = {2022-05-17}, organization = {Elastic}, url = {https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/#}, language = {English}, urldate = {2022-05-25} } A peek behind the BPFDoor
BPFDoor
2022-05-11ExaTrackTristan Pourcelot
@techreport{pourcelot:20220511:tricephalic:d8d6265, author = {Tristan Pourcelot}, title = {{Tricephalic Hellkeeper: a tale of a passive backdoor}}, date = {2022-05-11}, institution = {ExaTrack}, url = {https://exatrack.com/public/Tricephalic_Hellkeeper.pdf}, language = {English}, urldate = {2022-05-25} } Tricephalic Hellkeeper: a tale of a passive backdoor
BPFDoor Bvp47 Uroburos
2022-05-11Sandfly SecurityThe Sandfly Security Team
@online{team:20220511:bpfdoor:306b873, author = {The Sandfly Security Team}, title = {{BPFDoor - An Evasive Linux Backdoor Technical Analysis}}, date = {2022-05-11}, organization = {Sandfly Security}, url = {https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/}, language = {English}, urldate = {2022-05-11} } BPFDoor - An Evasive Linux Backdoor Technical Analysis
BPFDoor
2022-05-08Twitter (@cyb3rops)Florian Roth
@online{roth:20220508:source:86add3e, author = {Florian Roth}, title = {{Tweet on source code for BPFDoor found on VT}}, date = {2022-05-08}, organization = {Twitter (@cyb3rops)}, url = {https://twitter.com/cyb3rops/status/1523227511551033349}, language = {English}, urldate = {2022-05-09} } Tweet on source code for BPFDoor found on VT
BPFDoor
2022-05-08Twitter (@CraigHRowland)Craig Rowland
@online{rowland:20220508:twitter:bf58ca0, author = {Craig Rowland}, title = {{Twitter Thread with description of functionality for BPFDoor}}, date = {2022-05-08}, organization = {Twitter (@CraigHRowland)}, url = {https://twitter.com/CraigHRowland/status/1523266585133457408}, language = {English}, urldate = {2022-06-09} } Twitter Thread with description of functionality for BPFDoor
BPFDoor
2022-05-07DoublePulsarKevin Beaumont
@online{beaumont:20220507:bpfdoor:9d41f91, author = {Kevin Beaumont}, title = {{BPFDoor — an active Chinese global surveillance tool}}, date = {2022-05-07}, organization = {DoublePulsar}, url = {https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896}, language = {English}, urldate = {2022-05-09} } BPFDoor — an active Chinese global surveillance tool
BPFDoor
2022-05-05Troopers ConferenceBen Jackson, Will Bonner
@online{jackson:20220505:tinker:2cde4e9, author = {Ben Jackson and Will Bonner}, title = {{Tinker Telco Soldier Spy (to be given 2022-06-27)}}, date = {2022-05-05}, organization = {Troopers Conference}, url = {https://troopers.de/troopers22/talks/7cv8pz/}, language = {English}, urldate = {2022-05-06} } Tinker Telco Soldier Spy (to be given 2022-06-27)
BPFDoor GALLIUM
2022-04-28PWCPWC UK
@techreport{uk:20220428:cyber:46707aa, author = {PWC UK}, title = {{Cyber Threats 2021: A Year in Retrospect}}, date = {2022-04-28}, institution = {PWC}, url = {https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf}, language = {English}, urldate = {2023-07-02} } Cyber Threats 2021: A Year in Retrospect
BPFDoor APT15 APT31 APT41 APT9 BlackTech BRONZE EDGEWOOD DAGGER PANDA Earth Lusca HAFNIUM HAZY TIGER Inception Framework LOTUS PANDA QUILTED TIGER RedAlpha Red Dev 17 Red Menshen Red Nue VICEROY TIGER
Yara Rules
[TLP:WHITE] elf_bpfdoor_w0 (20220509 | Detects unknown Linux implants (uploads from KR and MO))
rule elf_bpfdoor_w0 {
    meta:
        description = "Detects unknown Linux implants (uploads from KR and MO)"
        author = "Florian Roth"
        reference = "https://twitter.com/jcksnsec/status/1522163033585467393"
        date = "2022-05-05"
        score = 90
        hash1 = "07ecb1f2d9ffbd20a46cd36cd06b022db3cc8e45b1ecab62cd11f9ca7a26ab6d"
        hash2 = "4c5cf8f977fc7c368a8e095700a44be36c8332462c0b1e41bff03238b2bf2a2d"
        hash3 = "599ae527f10ddb4625687748b7d3734ee51673b664f2e5d0346e64f85e185683"
        hash4 = "5b2a079690efb5f4e0944353dd883303ffd6bab4aad1f0c88b49a76ddcb28ee9"
        hash5 = "5faab159397964e630c4156f8852bcc6ee46df1cdd8be2a8d3f3d8e5980f3bb3"
        hash6 = "93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c"
        hash7 = "97a546c7d08ad34dfab74c9c8a96986c54768c592a8dae521ddcf612a84fb8cc"
        hash8 = "c796fc66b655f6107eacbe78a37f0e8a2926f01fecebd9e68a66f0e261f91276"
        hash9 = "f8a5e735d6e79eb587954a371515a82a15883cf2eda9d7ddb8938b86e714ea27"
        hash10 = "fd1b20ee5bd429046d3c04e9c675c41e9095bea70e0329bd32d7edd17ebaf68a"
        version = "1"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.bpfdoor"
        malpedia_rule_date = "20220509"
        malpedia_hash = ""
        malpedia_version = "20220509"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s1 = "[-] Connect failed." ascii fullword
        $s2 = "export MYSQL_HISTFILE=" ascii fullword
        $s3 = "udpcmd" ascii fullword
        $s4 = "getshell" ascii fullword

        $op1 = { e8 ?? ff ff ff 80 45 ee 01 0f b6 45 ee 3b 45 d4 7c 04 c6 45 ee 00 80 45 ff 01 80 7d ff 00 }
        $op2 = { 55 48 89 e5 48 83 ec 30 89 7d ec 48 89 75 e0 89 55 dc 83 7d dc 00 75 0? }
        $op3 = { e8 a? fe ff ff 0f b6 45 f6 48 03 45 e8 0f b6 10 0f b6 45 f7 48 03 45 e8 0f b6 00 8d 04 02 }
        $op4 = { c6 80 01 01 00 00 00 48 8b 45 c8 0f b6 90 01 01 00 00 48 8b 45 c8 88 90 00 01 00 00 c6 45 ef 00 0f b6 45 ef 88 45 ee }
    condition:
        uint16(0) == 0x457f and
        filesize < 80KB and 2 of them or 5 of them
}
[TLP:WHITE] elf_bpfdoor_w1 (20220509 | Detects BPFDoor implants used by Chinese actor Red Menshen)
rule elf_bpfdoor_w1 {
    meta:
        description = "Detects BPFDoor implants used by Chinese actor Red Menshen"
        author = "Florian Roth"
        reference = "https://twitter.com/jcksnsec/status/1522163033585467393"
        date = "2022-05-07"
        score = 85
        hash1 = "76bf736b25d5c9aaf6a84edd4e615796fffc338a893b49c120c0b4941ce37925"
        hash2 = "96e906128095dead57fdc9ce8688bb889166b67c9a1b8fdb93d7cff7f3836bb9"
        hash3 = "c80bd1c4a796b4d3944a097e96f384c85687daeedcdcf05cc885c8c9b279b09c"
        hash4 = "f47de978da1dbfc5e0f195745e3368d3ceef034e964817c66ba01396a1953d72"
        version = "1"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.bpfdoor"
        malpedia_rule_date = "20220509"
        malpedia_hash = ""
        malpedia_version = "20220509"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $opx1 = { 48 83 c0 0c 48 8b 95 e8 fe ff ff 48 83 c2 0c 8b 0a 8b 55 f0 01 ca 89 10 c9 }
        $opx2 = { 48 01 45 e0 83 45 f4 01 8b 45 f4 3b 45 dc 7c cd c7 45 f4 00 00 00 00 eb 2? 48 8b 05 ?? ?? 20 00 }

        $op1 = { 48 8d 14 c5 00 00 00 00 48 8b 45 d0 48 01 d0 48 8b 00 48 89 c7 e8 ?? ?? ff ff 48 83 c0 01 48 01 45 e0 }
        $op2 = { 89 c2 8b 85 fc fe ff ff 01 c2 8b 45 f4 01 d0 2d 7b cf 10 2b 89 45 f4 c1 4d f4 10 }
        $op3 = { e8 ?? d? ff ff 8b 45 f0 eb 12 8b 85 3c ff ff ff 89 c7 e8 ?? d? ff ff b8 ff ff ff ff c9 }
    condition:
        uint16(0) == 0x457f and
        filesize < 100KB and 2 of ($opx*) or 4 of them
}
[TLP:WHITE] elf_bpfdoor_w2 (20220509 | Detects BPFDoor implants used by Chinese actor Red Menshen)
rule elf_bpfdoor_w2 {
    meta:
        description = "Detects BPFDoor implants used by Chinese actor Red Menshen"
        author = "Florian Roth"
        reference = "https://twitter.com/jcksnsec/status/1522163033585467393"
        date = "2022-05-08"
        score = 85
        hash1 = "144526d30ae747982079d5d340d1ff116a7963aba2e3ed589e7ebc297ba0c1b3"
        hash2 = "fa0defdabd9fd43fe2ef1ec33574ea1af1290bd3d763fdb2bed443f2bd996d73"
        version = "1"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.bpfdoor"
        malpedia_rule_date = "20220509"
        malpedia_hash = ""
        malpedia_version = "20220509"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s1 = "hald-addon-acpi: listening on acpi kernel interface /proc/acpi/event" ascii fullword
        $s2 = "/sbin/mingetty /dev" ascii fullword
        $s3 = "pickup -l -t fifo -u" ascii fullword
    condition:
        uint16(0) == 0x457f and
        filesize < 200KB and 2 of them or all of them
}
[TLP:WHITE] elf_bpfdoor_w3 (20230515 | Detects BPFDoor, new 2023 variant)
rule elf_bpfdoor_w3 {
    meta:
        description = "Detects BPFDoor, new 2023 variant"
        author = "Sorint.lab"
        creation_date = "2023-05-15"
        last_modified = "2023-05-15"
        reference_sample = "afa8a32ec29a31f152ba20a30eb483520fe50f2dce6c9aa9135d88f7c9c511d7"
        severity = 100
        scan_context = "file, memory"
        os = "linux"
        notes = "https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.bpfdoor"
        malpedia_version = "20230515"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
        malpedia_rule_date = "20230515"
        malpedia_hash = ""
    strings:
        // BPF Code detected in the executable
        $op1 = { 28 00 00 00 0C 00 00 00 15 00 00 09 DD 86 00 00 }
        $op2 = { 15 00 11 10 BB 01 00 00 15 00 00 11 00 08 00 00 }
        // Magic number 0x4430CD9F
        $op3 = { 9F CD 30 44 }
    condition:
        uint16(0) == 0x457f and all of them
}
Download all Yara Rules