HQ/EMEAFind out how we can help your business
A malicious campaign from the Red Menshen APT group has been using different versions of the BPFDoor backdoor as part of their infection chain against Linux and cloud servers.
Researchers believe that the wide adoption of Linux servers across critical infrastructure, servers, and cloud environments has made it attractive for threat actors to attack so they could steal information, disrupt services, or launch sophisticated operations.
Earlier this year, this threat group exclusively targeted the Windows system, but its latest attacks show that they are expanding their scope to non-Windows entities.
The Red Menshen APT has utilised Linux and Solarix BPFDoor variants.
According to investigations, the Red Menshen APT leverages the BPFDoor variants for Linux and Solarix servers. The actors used the Backdoor.Linux.BPFDOOR and Backdoor.Solaris.BPFDOOR.ZAJE backdoors to launch attacks on firms in the telecom sector in Hong Kong and Turkey.
These malware variants utilise advanced Berkeley Packet Filters that allow its operators to load and trigger the backdoor within the Linux kernel by avoiding firewalls and other network protection solutions in Solaris and Linux OS.
Researchers noted that the earlier-mentioned capabilities are common to rootkits but not quickly adopted in backdoors.
Further analysis also revealed that the BPF backdoor had increased its instructions from 2022. This detail indicates that the operators are actively developing and distributing the BPFDoor.
A recent tally also showed that most samples from 2018 to 2022 include 30 BPF instructions that accepted unique numbers for UDP, TCP, and ICMP protocols. On the other hand, the latest variants contain about 39 BPF instructions that support a 4-byte magic number for TCP packets.
Furthermore, researchers discovered some BPFDoor variants containing 205 and 229 instructions that could potentially target the macOS system. As of now, researchers are observing that malicious entity.
Experts suggest that network defenders should update their BPF filter analysis since threat actors constantly seek to evolve their BPF filter to deploy the BPFDoor backdoor. Furthermore, users could leverage Linux commands to investigate suspicious BPF programs in the organisation’s network premises.
Security teams in different organisations should adopt the provided IOCs to spot unwanted activities in their network and block them to prevent damage.
