S1161 BPFDoor
BPFDoor is a Linux based passive long-term backdoor used by China-based threat actors. First seen in 2021, BPFDoor is named after its usage of Berkley Packet Filter (BPF) to execute single task instructions. BPFDoor supports multiple protocols for communicating with a C2 including TCP, UDP, and ICMP and can start local or reverse shells that bypass firewalls using iptables.43
| Item | Value |
|---|---|
| ID | S1161 |
| Associated Names | JustForFun, Backdoor.Linux.BPFDOOR, Backdoor.Solaris.BPFDOOR.ZAJE |
| Type | MALWARE |
| Version | 1.1 |
| Created | 20 September 2024 |
| Last Modified | 03 January 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| JustForFun | 1 |
| Backdoor.Linux.BPFDOOR | 2 |
| Backdoor.Solaris.BPFDOOR.ZAJE | 1 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.004 | Unix Shell | BPFDoor can create a reverse shell and supports vt100 emulator formatting.4 |
| enterprise | T1480 | Execution Guardrails | BPFDoor creates a zero byte PID file at /var/run/haldrund.pid. BPFDoor uses this file to determine if it is already running on a system to ensure only one instance is executing at a time.4 |
| enterprise | T1480.002 | Mutual Exclusion | When executed, BPFDoor attempts to create and lock a runtime file, /var/run/initd.lock, and exits if it fails using the specified file, resulting in a makeshift mutex.3 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.011 | Ignore Process Interrupts | BPFDoor set’s it’s process to ignore the following signals; SIGHUP, SIGINT, SIGQUIT, SIGPIPE, SIGCHLD, SIGTTIN, and SIGTTOU.3 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.003 | Impair Command History Logging | BPFDoor sets the MYSQL_HISTFILE and HISTFILE to /dev/null preventing the shell and MySQL from logging history in /proc/<PID>/environ.4 |
| enterprise | T1562.004 | Disable or Modify System Firewall | BPFDoor starts a shell on a high TCP port starting at 42391 up to 43391, then changes the local iptables rules to redirect all packets from the attacker to the shell port.4 |
| enterprise | T1070 | Indicator Removal | BPFDoor clears the file location /proc/<PID>/environ removing all environment variables for the process.4 |
| enterprise | T1070.004 | File Deletion | After initial setup, BPFDoor’s original execution process deletes the dropped binary and exits.4 |
| enterprise | T1070.006 | Timestomp | BPFDoor uses the utimes() function to change the executable’s timestamp.4 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.009 | Break Process Trees | After initial execution, BPFDoor forks itself and runs the fork with the --init flag, which allows it to execute secondary clean up operations. The parent process terminates leaving the forked process to be inherited by the legitimate process init.4 |
| enterprise | T1036.011 | Overwrite Process Arguments | BPFDoor overwrites the argv[0] value used by the Linux /proc filesystem to determine the command line and command name to display for each process. BPFDoor selects a name from 10 hardcoded names that resemble Linux system daemons, such as; /sbin/udevd -d, dbus-daemon --system, avahi-daemon: chroot helper, /sbin/auditd -n, and /usr/lib/systemd/systemd-journald.4 |
| enterprise | T1027 | Obfuscated Files or Information | BPFDoor can require a password to activate the backdoor and uses RC4 encryption or static library encryption libtomcrypt.4 |
| enterprise | T1205 | Traffic Signaling | - |
| enterprise | T1205.002 | Socket Filters | BPFDoor uses BPF bytecode to attach a filter to a network socket to view ICMP, UDP, or TCP packets coming through ports 22 (ssh), 80 (http), and 443 (https). When BPFDoor finds a packet containing its “magic” bytes, it parses out two fields and forks itself. The parent process continues to monitor filtered traffic while the child process executes the instructions from the parsed fields.43 |
References
-
Jamie Harries. (2022, May 25). Hunting a Global Telecommunications Threat: DecisiveArchitect and Its Custom Implant JustForFun. Retrieved September 23, 2024. ↩↩
-
Fernando Merces. (2023, July 13). Detecting BPFDoor Backdoor Variants Abusing BPF Filters. Retrieved September 23, 2024. ↩
-
Shaul Vilkomir-Preisman and Eliran Nissan. (2023, May 10). BPFDoor Malware Evolves – Stealthy Sniffing Backdoor Ups Its Game. Retrieved September 19, 2024. ↩↩↩↩
-
The Sandfly Security Team. (2022, May 11). BPFDoor - An Evasive Linux Backdoor Technical Analysis. Retrieved September 29, 2023. ↩↩↩↩↩↩↩↩↩↩↩↩