1. Home
  2. Software
  3. BPFDoor

BPFDoor

BPFDoor is a Linux based passive long-term backdoor used by China-based threat actors. First seen in 2021, BPFDoor is named after its usage of Berkley Packet Filter (BPF) to execute single task instructions. BPFDoor supports multiple protocols for communicating with a C2 including TCP, UDP, and ICMP and can start local or reverse shells that bypass firewalls using iptables.[1][2]

ID: S1161
Associated Software: JustForFun, Backdoor.Linux.BPFDOOR, Backdoor.Solaris.BPFDOOR.ZAJE
Type: MALWARE
Platforms: Linux
Version: 1.0
Created: 20 September 2024
Last Modified: 23 September 2024
Version Permalink

Associated Software Descriptions

Name Description
JustForFun

[3]
Backdoor.Linux.BPFDOOR

[4]
Backdoor.Solaris.BPFDOOR.ZAJE

[3]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1059 .004 Command and Scripting Interpreter: Unix Shell

BPFDoor can create a reverse shell and supports vt100 emulator formatting.[1]
Enterprise T1480 Execution Guardrails

BPFDoor creates a zero byte PID file at /var/run/haldrund.pid. BPFDoor uses this file to determine if it is already running on a system to ensure only one instance is executing at a time.[1]

Enterprise T1564 .011 Hide Artifacts: Ignore Process Interrupts

BPFDoor set's it's process to ignore the following signals; SIGHUP, SIGINT, SIGQUIT, SIGPIPE, SIGCHLD, SIGTTIN, and SIGTTOU.[2]
Enterprise T1562 .003 Impair Defenses: Impair Command History Logging

BPFDoor sets the MYSQL_HISTFILE and HISTFILE to /dev/null preventing the shell and MySQL from logging history in /proc/<PID>/environ.[1]

.004 Impair Defenses: Disable or Modify System Firewall

BPFDoor starts a shell on a high TCP port starting at 42391 up to 43391, then changes the local iptables rules to redirect all packets from the attacker to the shell port.[1]

Enterprise T1070 Indicator Removal

BPFDoor clears the file location /proc/<PID>/environ removing all environment variables for the process.[1]

.004 File Deletion

After initial setup, BPFDoor's original execution process deletes the dropped binary and exits.[1]

.006 Timestomp

BPFDoor uses the utimes() function to change the executable's timestamp.[1]

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

BPFDoor overwrites the argv[0] value used by the Linux /proc filesystem to determine the command line and command name to display for each process. BPFDoor selects a name from 10 hardcoded names that resemble Linux system daemons, such as; /sbin/udevd -d, dbus-daemon --system, avahi-daemon: chroot helper, /sbin/auditd -n, and /usr/lib/systemd/systemd-journald.[1]
.009 Masquerading: Break Process Trees

After initial execution, BPFDoor forks itself and runs the fork with the --init flag, which allows it to execute secondary clean up operations. The parent process terminates leaving the forked process to be inherited by the legitimate process init.[1]
Enterprise T1027 Obfuscated Files or Information

BPFDoor can require a password to activate the backdoor and uses RC4 encryption or static library encryption libtomcrypt.[1]
Enterprise T1205 .002 Traffic Signaling: Socket Filters

BPFDoor uses BPF bytecode to attach a filter to a network socket to view ICMP, UDP, or TCP packets coming through ports 22 (ssh), 80 (http), and 443 (https). When BPFDoor finds a packet containing its "magic" bytes, it parses out two fields and forks itself. The parent process continues to monitor filtered traffic while the child process executes the instructions from the parsed fields.[1][2]

References

  1. The Sandfly Security Team. (2022, May 11). BPFDoor - An Evasive Linux Backdoor Technical Analysis. Retrieved September 29, 2023.
  2. Shaul Vilkomir-Preisman and Eliran Nissan. (2023, May 10). BPFDoor Malware Evolves – Stealthy Sniffing Backdoor Ups Its Game. Retrieved September 19, 2024.
  1. Jamie Harries. (2022, May 25). Hunting a Global Telecommunications Threat: DecisiveArchitect and Its Custom Implant JustForFun. Retrieved September 23, 2024.
  2. Fernando Merces. (2023, July 13). Detecting BPFDoor Backdoor Variants Abusing BPF Filters. Retrieved September 23, 2024.