Earth Bluecrow Targets Asia and Middle East with BPFDoor Backdoor

BPFDoor is a sophisticated backdoor malware designed to enable cyberespionage. Utilizing Berkeley Packet Filtering (BPF), BPFDoor remains stealthy by filtering network packets to activate the backdoor even when firewalls block them. The malware operates by responding to “magic packets” containing specific byte sequences. It remains hidden on infected systems, making it difficult for traditional security tools, such as port scans, to detect it. BPFDoor has been employed by Earth Bluecrow (Red Menshen), an advanced persistent threat (APT) group, and has recently targeted various sectors across Asia, the Middle East, and Africa. Its stealthy operations and advanced evasion techniques make it a potent tool for long-term espionage.

Severity Level: High

Threat Overview:

• Main Feature: Uses BPF (Berkeley Packet Filtering) to trigger the backdoor via “magic packets,” enabling malicious activities such as reverse shell access, lateral network movement, and exfiltration of sensitive data.
• Targeted Industries: Telecommunications, financial services, and retail sectors.
• Threat Actor: Earth Bluecrow (Red Menshen), a well-known APT group with a track record of cyberespionage operations.
• Evasion Techniques: BPFDoor employs advanced techniques to remain undetected, including hiding its processes and not listening to any network ports, making it difficult for system administrators to spot the infection.
• Controller: BPFDoor’s hidden controller enables attackers to initiate actions like opening reverse shells, redirecting traffic to specific ports, and checking if the backdoor is active. This controller interacts with the infected system via encrypted or unencrypted connections, depending on the attacker’s needs.
• BPFDoor’s Reverse Connection Mode:
  • In this mode, BPFDoor establishes a reverse connection from the infected machine to the attacker’s machine. The attacker uses a controller tool to send a specially crafted packet containing the target’s IP address, port information, and a password.
  • The controller sends an activation packet containing the magic bytes and specific information (e.g., target IP, target port, and password). This packet triggers the BPF filter on the infected machine to check for the magic sequence.
  • Actors can use -c flag to enable encryption for the reverse shell communication.

Recommendations:

1. Magic Sequence Detection: Monitor for the presence of magic sequences in network packets. BPFDoor triggers the backdoor using specific byte sequences in the packet payload. Common sequences include:
   • TCP: Look for magic bytes such as 0x5293 at the beginning of TCP payloads.
   • UDP: Watch for 0x7255 magic bytes in UDP traffic.
   • ICMP: Detect ICMP traffic containing 0x7255 as part of the magic sequence.
2. Reverse shell connections typically show abnormal outbound traffic patterns:
   • Look for outbound connections from internal servers to unusual IP addresses or uncommon ports (e.g., port 8000).
   • Detect unexpected or unauthorized IP addresses establishing connections to internal systems.
3. BPFDoor uses iptables to redirect traffic to ports like 22/tcp or custom ranges. Ensure that any modification to iptables rules is logged and investigate any unexpected redirection commands or unauthorized changes to firewall configurations.
4. BPFDoor has been known to disable MySQL command-line logging. Monitor MySQL logs for missing logs, abnormal query behavior, or changes to the MYSQL_HISTFILE variable.
5. BPFDoor’s reverse shell might disable shell command history. Configure audit logs for shell commands to identify abnormal shell usage or signs of tampering.
6. Block the IOCs at their respective controls
   https://www.virustotal.com/gui/collection/64f4b892a20d8ae08e397166956916ab18ac91b727443238f44d7e9dca74f78f/iocs

Source:

• https://www.trendmicro.com/en_us/research/25/d/bpfdoor-hidden-controller.html

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn.