1. Home
  2. Software
  3. BPFDoor

BPFDoor

BPFDoor is a Linux based passive long-term backdoor used by China-based threat actors. First seen in 2021, BPFDoor is named after its usage of Berkley Packet Filter (BPF) to execute single task instructions. BPFDoor supports multiple protocols for communicating with a C2 including TCP, UDP, and ICMP and can start local or reverse shells that bypass firewalls using iptables.[1][2]

ID: S1161
Associated Software: JustForFun, Backdoor.Linux.BPFDOOR, Backdoor.Solaris.BPFDOOR.ZAJE
Type: MALWARE
Platforms: Linux
Version: 1.0
Created: 20 September 2024
Last Modified: 23 September 2024

Associated Software Descriptions

Name Description
JustForFun

[3]
Backdoor.Linux.BPFDOOR

[4]
Backdoor.Solaris.BPFDOOR.ZAJE

[3]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1036 .004 伪装: Masquerade Task or Service

BPFDoor overwrites the argv[0] value used by the Linux /proc filesystem to determine the command line and command name to display for each process. BPFDoor selects a name from 10 hardcoded names that resemble Linux system daemons, such as; /sbin/udevd -d, dbus-daemon --system, avahi-daemon: chroot helper, /sbin/auditd -n, and /usr/lib/systemd/systemd-journald.[1]
.009 伪装: Break Process Trees

After initial execution, BPFDoor forks itself and runs the fork with the --init flag, which allows it to execute secondary clean up operations. The parent process terminates leaving the forked process to be inherited by the legitimate process init.[1]
Enterprise T1059 .004 命令与脚本解释器: Unix Shell

BPFDoor can create a reverse shell and supports vt100 emulator formatting.[1]
Enterprise T1562 .003 妨碍防御: Impair Command History Logging

BPFDoor sets the MYSQL_HISTFILE and HISTFILE to /dev/null preventing the shell and MySQL from logging history in /proc/<PID>/environ.[1]

.004 妨碍防御: Disable or Modify System Firewall

BPFDoor starts a shell on a high TCP port starting at 42391 up to 43391, then changes the local iptables rules to redirect all packets from the attacker to the shell port.[1]

Enterprise T1480 执行保护

BPFDoor creates a zero byte PID file at /var/run/haldrund.pid. BPFDoor uses this file to determine if it is already running on a system to ensure only one instance is executing at a time.[1]

Enterprise T1205 .002 流量激活: Socket Filters

BPFDoor uses BPF bytecode to attach a filter to a network socket to view ICMP, UDP, or TCP packets coming through ports 22 (ssh), 80 (http), and 443 (https). When BPFDoor finds a packet containing its "magic" bytes, it parses out two fields and forks itself. The parent process continues to monitor filtered traffic while the child process executes the instructions from the parsed fields.[1][2]
Enterprise T1027 混淆文件或信息

BPFDoor can require a password to activate the backdoor and uses RC4 encryption or static library encryption libtomcrypt.[1]
Enterprise T1070 移除指标

BPFDoor clears the file location /proc/<PID>/environ removing all environment variables for the process.[1]

.004 File Deletion

After initial setup, BPFDoor's original execution process deletes the dropped binary and exits.[1]

.006 Timestomp

BPFDoor uses the utimes() function to change the executable's timestamp.[1]

Enterprise T1564 .011 隐藏伪装: Ignore Process Interrupts

BPFDoor set's it's process to ignore the following signals; SIGHUP, SIGINT, SIGQUIT, SIGPIPE, SIGCHLD, SIGTTIN, and SIGTTOU.[2]

References

  1. The Sandfly Security Team. (2022, May 11). BPFDoor - An Evasive Linux Backdoor Technical Analysis. Retrieved September 29, 2023.
  2. Shaul Vilkomir-Preisman and Eliran Nissan. (2023, May 10). BPFDoor Malware Evolves – Stealthy Sniffing Backdoor Ups Its Game. Retrieved September 19, 2024.
  1. Jamie Harries. (2022, May 25). Hunting a Global Telecommunications Threat: DecisiveArchitect and Its Custom Implant JustForFun. Retrieved September 23, 2024.
  2. Fernando Merces. (2023, July 13). Detecting BPFDoor Backdoor Variants Abusing BPF Filters. Retrieved September 23, 2024.