SYMBOLCOMMON_NAMEaka. SYNONYMS
elf.bpfdoor (Back to overview)

BPFDoor

Actor(s): Red Menshen


BPFDoor is a passive backdoor used by a China-based threat actor. This backdoor supports multiple protocols for communicating with a C2 including TCP, UDP, and ICMP allowing the threat actor a variety of mechanisms to interact with the implant.

References
2022-05-17ElasticColson Wilhoit, Alex Bell, Rhys Rustad-Elliott, Jake King
@online{wilhoit:20220517:peek:fea1eeb, author = {Colson Wilhoit and Alex Bell and Rhys Rustad-Elliott and Jake King}, title = {{A peek behind the BPFDoor}}, date = {2022-05-17}, organization = {Elastic}, url = {https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/#}, language = {English}, urldate = {2022-05-25} } A peek behind the BPFDoor
BPFDoor
2022-05-11ExaTrackTristan Pourcelot
@techreport{pourcelot:20220511:tricephalic:d8d6265, author = {Tristan Pourcelot}, title = {{Tricephalic Hellkeeper: a tale of a passive backdoor}}, date = {2022-05-11}, institution = {ExaTrack}, url = {https://exatrack.com/public/Tricephalic_Hellkeeper.pdf}, language = {English}, urldate = {2022-05-25} } Tricephalic Hellkeeper: a tale of a passive backdoor
BPFDoor Bvp47 Uroburos
2022-05-11Sandfly SecurityThe Sandfly Security Team
@online{team:20220511:bpfdoor:306b873, author = {The Sandfly Security Team}, title = {{BPFDoor - An Evasive Linux Backdoor Technical Analysis}}, date = {2022-05-11}, organization = {Sandfly Security}, url = {https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/}, language = {English}, urldate = {2022-05-11} } BPFDoor - An Evasive Linux Backdoor Technical Analysis
BPFDoor
2022-05-08Twitter (@cyb3rops)Florian Roth
@online{roth:20220508:source:86add3e, author = {Florian Roth}, title = {{Tweet on source code for BPFDoor found on VT}}, date = {2022-05-08}, organization = {Twitter (@cyb3rops)}, url = {https://twitter.com/cyb3rops/status/1523227511551033349}, language = {English}, urldate = {2022-05-09} } Tweet on source code for BPFDoor found on VT
BPFDoor
2022-05-08Twitter (@CraigHRowland)Craig Rowland
@online{rowland:20220508:twitter:bf58ca0, author = {Craig Rowland}, title = {{Twitter Threat with description of functionality for BPFDoor}}, date = {2022-05-08}, organization = {Twitter (@CraigHRowland)}, url = {https://twitter.com/CraigHRowland/status/1523266585133457408}, language = {English}, urldate = {2022-05-09} } Twitter Threat with description of functionality for BPFDoor
BPFDoor
2022-05-07DoublePulsarKevin Beaumont
@online{beaumont:20220507:bpfdoor:9d41f91, author = {Kevin Beaumont}, title = {{BPFDoor — an active Chinese global surveillance tool}}, date = {2022-05-07}, organization = {DoublePulsar}, url = {https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896}, language = {English}, urldate = {2022-05-09} } BPFDoor — an active Chinese global surveillance tool
BPFDoor
2022-05-05Troopers ConferenceBen Jackson, Will Bonner
@online{jackson:20220505:tinker:2cde4e9, author = {Ben Jackson and Will Bonner}, title = {{Tinker Telco Soldier Spy (to be given 2022-06-27)}}, date = {2022-05-05}, organization = {Troopers Conference}, url = {https://troopers.de/troopers22/talks/7cv8pz/}, language = {English}, urldate = {2022-05-06} } Tinker Telco Soldier Spy (to be given 2022-06-27)
BPFDoor GALLIUM
Yara Rules
[TLP:WHITE] elf_bpfdoor_w0 (20220509 | Detects unknown Linux implants (uploads from KR and MO))
rule elf_bpfdoor_w0 {
    meta:
        description = "Detects unknown Linux implants (uploads from KR and MO)"
        author = "Florian Roth"
        reference = "https://twitter.com/jcksnsec/status/1522163033585467393"
        date = "2022-05-05"
        score = 90
        hash1 = "07ecb1f2d9ffbd20a46cd36cd06b022db3cc8e45b1ecab62cd11f9ca7a26ab6d"
        hash2 = "4c5cf8f977fc7c368a8e095700a44be36c8332462c0b1e41bff03238b2bf2a2d"
        hash3 = "599ae527f10ddb4625687748b7d3734ee51673b664f2e5d0346e64f85e185683"
        hash4 = "5b2a079690efb5f4e0944353dd883303ffd6bab4aad1f0c88b49a76ddcb28ee9"
        hash5 = "5faab159397964e630c4156f8852bcc6ee46df1cdd8be2a8d3f3d8e5980f3bb3"
        hash6 = "93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c"
        hash7 = "97a546c7d08ad34dfab74c9c8a96986c54768c592a8dae521ddcf612a84fb8cc"
        hash8 = "c796fc66b655f6107eacbe78a37f0e8a2926f01fecebd9e68a66f0e261f91276"
        hash9 = "f8a5e735d6e79eb587954a371515a82a15883cf2eda9d7ddb8938b86e714ea27"
        hash10 = "fd1b20ee5bd429046d3c04e9c675c41e9095bea70e0329bd32d7edd17ebaf68a"
        version = "1"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.bpfdoor"
        malpedia_rule_date = "20220509"
        malpedia_hash = ""
        malpedia_version = "20220509"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s1 = "[-] Connect failed." ascii fullword
        $s2 = "export MYSQL_HISTFILE=" ascii fullword
        $s3 = "udpcmd" ascii fullword
        $s4 = "getshell" ascii fullword

        $op1 = { e8 ?? ff ff ff 80 45 ee 01 0f b6 45 ee 3b 45 d4 7c 04 c6 45 ee 00 80 45 ff 01 80 7d ff 00 }
        $op2 = { 55 48 89 e5 48 83 ec 30 89 7d ec 48 89 75 e0 89 55 dc 83 7d dc 00 75 0? }
        $op3 = { e8 a? fe ff ff 0f b6 45 f6 48 03 45 e8 0f b6 10 0f b6 45 f7 48 03 45 e8 0f b6 00 8d 04 02 }
        $op4 = { c6 80 01 01 00 00 00 48 8b 45 c8 0f b6 90 01 01 00 00 48 8b 45 c8 88 90 00 01 00 00 c6 45 ef 00 0f b6 45 ef 88 45 ee }
    condition:
        uint16(0) == 0x457f and
        filesize < 80KB and 2 of them or 5 of them
}
[TLP:WHITE] elf_bpfdoor_w1 (20220509 | Detects BPFDoor implants used by Chinese actor Red Menshen)
rule elf_bpfdoor_w1 {
    meta:
        description = "Detects BPFDoor implants used by Chinese actor Red Menshen"
        author = "Florian Roth"
        reference = "https://twitter.com/jcksnsec/status/1522163033585467393"
        date = "2022-05-07"
        score = 85
        hash1 = "76bf736b25d5c9aaf6a84edd4e615796fffc338a893b49c120c0b4941ce37925"
        hash2 = "96e906128095dead57fdc9ce8688bb889166b67c9a1b8fdb93d7cff7f3836bb9"
        hash3 = "c80bd1c4a796b4d3944a097e96f384c85687daeedcdcf05cc885c8c9b279b09c"
        hash4 = "f47de978da1dbfc5e0f195745e3368d3ceef034e964817c66ba01396a1953d72"
        version = "1"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.bpfdoor"
        malpedia_rule_date = "20220509"
        malpedia_hash = ""
        malpedia_version = "20220509"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $opx1 = { 48 83 c0 0c 48 8b 95 e8 fe ff ff 48 83 c2 0c 8b 0a 8b 55 f0 01 ca 89 10 c9 }
        $opx2 = { 48 01 45 e0 83 45 f4 01 8b 45 f4 3b 45 dc 7c cd c7 45 f4 00 00 00 00 eb 2? 48 8b 05 ?? ?? 20 00 }

        $op1 = { 48 8d 14 c5 00 00 00 00 48 8b 45 d0 48 01 d0 48 8b 00 48 89 c7 e8 ?? ?? ff ff 48 83 c0 01 48 01 45 e0 }
        $op2 = { 89 c2 8b 85 fc fe ff ff 01 c2 8b 45 f4 01 d0 2d 7b cf 10 2b 89 45 f4 c1 4d f4 10 }
        $op3 = { e8 ?? d? ff ff 8b 45 f0 eb 12 8b 85 3c ff ff ff 89 c7 e8 ?? d? ff ff b8 ff ff ff ff c9 }
    condition:
        uint16(0) == 0x457f and
        filesize < 100KB and 2 of ($opx*) or 4 of them
}
[TLP:WHITE] elf_bpfdoor_w2 (20220509 | Detects BPFDoor implants used by Chinese actor Red Menshen)
rule elf_bpfdoor_w2 {
    meta:
        description = "Detects BPFDoor implants used by Chinese actor Red Menshen"
        author = "Florian Roth"
        reference = "https://twitter.com/jcksnsec/status/1522163033585467393"
        date = "2022-05-08"
        score = 85
        hash1 = "144526d30ae747982079d5d340d1ff116a7963aba2e3ed589e7ebc297ba0c1b3"
        hash2 = "fa0defdabd9fd43fe2ef1ec33574ea1af1290bd3d763fdb2bed443f2bd996d73"
        version = "1"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.bpfdoor"
        malpedia_rule_date = "20220509"
        malpedia_hash = ""
        malpedia_version = "20220509"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s1 = "hald-addon-acpi: listening on acpi kernel interface /proc/acpi/event" ascii fullword
        $s2 = "/sbin/mingetty /dev" ascii fullword
        $s3 = "pickup -l -t fifo -u" ascii fullword
    condition:
        uint16(0) == 0x457f and
        filesize < 200KB and 2 of them or all of them
}
Download all Yara Rules