Cybersecurity researchers unearthed a new controller component related to a known backdoor called BPFDOOR as part of a cyberattack targeting the telecommunications, finance and retail sectors of South Korea, Hong Kong, Myanmar, Malaysia and Egypt in 2024.
“The controller can open a reverse shell,” said Fernando Mercês of Trend Micro Researcher in a technical report released earlier this week. “This allows lateral movement, allowing attackers to enter a deeper compromised network, allowing them to control more systems and access sensitive data.
The campaign comes from a threat group that tracks it as DecisivearchItect, Red Dev 18, and Earth Bluecrow, also known as Red Menshen.
BPFDOOR is the Linux backdoor first revealed in 2022, and the malware is positioned as a long-term spy tool for use in attacks targeting Asian and Middle Eastern attacks, at least a year before public disclosure.
The most distinctive aspect of malware is that it creates a permanent cover channel for threat actors to control compromised workstations and access sensitive data over time.
The malware retrieves its name from the use of Berkeley Packet Filter (BPF). This comes from allowing the program to connect a network filter to an open socket to inspect incoming network packets and monitor specific magic byte sequences to work.
“Because of how BPF is implemented in targeted operating systems, magic packets cause backdoors despite being blocked by firewalls,” Merces said. “When a packet reaches the kernel’s BPF engine, the resident backdoor is activated. These features are common in rootkits, but are not usually seen in backdoors.”
A recent analysis from Trend Micro found that targeted Linux servers also infected previously undocumented malware controllers that are used to access other affected hosts on the same network after lateral movement.
“Before sending one of the ‘magic packets’ checked by the BPF filter inserted by the BPFDOOR malware, the controller asks the user for a password that will also be checked on the BPFDOOR side,” explained Mercês.
In the next step, the controller will instruct the compromised machine to perform one of the following actions based on the password provided and the command line options used –
Open a reverse shell Redirects a new connection to the shell on a specific port or verify that the backdoor is active
It is worth pointing out that the password sent from the controller must match one of the hardcoded values in the BPFDOOR sample. In addition to supporting TCP, UDP, and ICMP protocols, controllers commanding infected hosts can also enable optional encryption mode for secure communication.
Additionally, the controller supports what is called direct mode, which allows an attacker to connect directly to the infected machine and get a shell for remote access, but only if he provides the appropriate password.
“BPF opens a new window of unexplored possibilities for malware authors to exploit,” Merces said. “As a threat researcher, it is essential to be equipped for future developments by analyzing BPF codes. This will help protect your organization from threats equipped with BPF.”
Source link
