BPFDoor is a sophisticated backdoor malware targeting organizations across Asia, the Middle East, and Africa. It uses Berkeley Packet Filtering (BPF) technology to monitor network traffic at the kernel level. This allows it to evade conventional security scans, making it difficult to detect while maintaining persistent access to compromised systems. The malware is particularly effective because it operates without listening on network ports, a feature that traditional security measures like port scans cannot detect.
The malware has been observed in attacks across several sectors, including telecommunications, finance, and retail, with incidents reported in South Korea, Hong Kong, Myanmar, Malaysia, and Egypt.
Trend Micro researchers tracked the threat actor behind BPFDoor to the Earth Bluecrow group, also known as Red Menshen, an advanced persistent threat (APT) group. The group has been deploying BPFDoor for cyberespionage activities since at least 2021. BPFDoor’s stealthy nature allows it to persist on infected systems for extended periods, gathering sensitive data without raising suspicion.
BPFDoor’s rootkit-like behavior allows it to inject BPF filters into the kernel of compromised systems, enabling it to monitor and manipulate network traffic. Once activated by specially crafted “magic sequences,” the malware can trigger specific backdoor functions, granting the attacker full control over the system. The malware also employs evasion tactics like changing process names and modifying system activity to stay hidden from security tools.
Its stealth capabilities make it an ideal tool for long-term espionage, where attackers seek to maintain persistent, undetected access.
The malware’s reverse shell mechanism allows attackers to establish communication with compromised machines, facilitating lateral movement within networks. The controller module sends activation packets to initiate a reverse shell connection, enabling deeper system penetration. BPFDoor’s ability to operate across multiple protocols (TCP, UDP, and ICMP) makes it difficult to detect. To mitigate the threat, organizations need advanced monitoring solutions to identify BPFDoor’s unique activation patterns and monitor network traffic for signs of compromise.
