Cybersecurity researchers have unearthed a brand new controller element related to a recognized backdoor referred to as BPFDoor as a part of cyber assaults focusing on telecommunications, finance, and retail sectors in South Korea, Hong Kong, Myanmar, Malaysia, and Egypt in 2024.
“The controller may open a reverse shell,” Development Micro researcher Fernando Mercês mentioned in a technical report printed earlier within the week. “This might enable lateral motion, enabling attackers to enter deeper into compromised networks, permitting them to regulate extra methods or acquire entry to delicate knowledge.
The marketing campaign has been attributed to a risk group it tracks as Earth Bluecrow, which is also referred to as DecisiveArchitect, Crimson Dev 18, and Crimson Menshen.
BPFDoor is a Linux backdoor that first got here to mild in 2022, with the malware positioned as a long-term espionage software to be used in assaults focusing on entities in Asia and the Center East no less than a yr previous to public disclosure.
Probably the most distinctive side of the malware is that it creates a persistent-yet-covert channel for risk actors to regulate compromised workstations and entry delicate knowledge over prolonged durations of time.
The malware will get its identify from the usage of Berkeley Packet Filter (BPF), a expertise that permits applications to connect community filters to an open socket with a view to examine incoming community packets and monitor for a particular Magic Byte sequence in order to spring into motion.
“Due to how BPF is carried out within the focused working system, the magic packet triggers the backdoor regardless of being blocked by a firewall,” Mercês mentioned. “Because the packet reaches the kernel’s BPF engine, it prompts the resident backdoor. Whereas these options are frequent in rootkits, they aren’t usually present in backdoors.”
The newest evaluation from Development Micro has discovered that the focused Linux servers have additionally been contaminated by a beforehand undocumented malware controller that is used to entry different affected hosts in the identical community after lateral motion.
“Earlier than sending one of many ‘magic packets’ checked by the BPF filter inserted by BPFDoor malware, the controller asks its person for a password that may also be checked on the BPFDoor facet,” Mercês defined.
Within the subsequent step, the controller directs the compromised machine to carry out one of many under actions primarily based on the password offered and the command-line choices used –
- Open a reverse shell
- Redirect new connections to a shell on a particular port, or
- Affirm the backdoor is energetic
It is price stating that the password despatched by the controller should match one of many hard-coded values within the BPFDoor pattern. The controller, in addition to supporting TCP, UDP, and ICMP protocols to commandeer the contaminated hosts, may allow an non-obligatory encrypted mode for safe communication.
Moreover, the controller helps what’s referred to as a direct mode that permits the attackers to immediately connect with an contaminated machine and procure a shell for distant entry – however solely when offered the suitable password.
“BPF opens a brand new window of unexplored prospects for malware authors to take advantage of,” Mercês mentioned. “As risk researchers, it’s a should to be geared up for future developments by analyzing BPF code, which is able to assist shield organizations in opposition to BPF-powered threats.”
