Researchers release tool to detect stealthy BPFDoor implants in critical infrastructure networks

Telecommunications providers around the world have been dealing with the burrowing efforts of the China-linked APTs for many years now.

To help them identify hard-to-detect implants used by the China-based group dubbed Red Menshen, Rapid7 researchers have released a scanning script.

BPFdoor

US, Canadian, European and Asian telcos have been repeatedly hit by the infamous Salt Typhoon group in the past few years.

Red Menshen has been previously observed using the BPFDoor implant/backdoor when targeting telecommunications providers across Asia and the Middle East, as well as organizations in the finance and retail sectors.

Initial access is usually gained by exploiting known vulnerabilities in edge networking devices and VPN products or by leveraging compromised accounts. But, once inside, Red Menshen attackers are retaining long-term access by placing hard-to-detect kernel-level implants like BPFdoor and passive backdoors like TinyShell.

“What makes BPFdoor particularly unique is its ability to operate at the kernel level without exposing a traditional network footprint,” Christiaan Beek, VP of Cyber Intelligence at Rapid7, told Help Net Security.

This unconventional Linux malware abuses Berkeley Packet Filter (BPF) functionality to inspect network traffic directly inside the kernel, and passively listens for specially crafted network packets (aka “magic packets”) that will activate it.

BPFDoor activation relying on magic packets (Source: Rapid7)

Rapid7 researchers fittingly describe this type of implant as “sleeper cells” – waiting to spring into action when called, but otherwise laying dormant and blending into the environment. When triggered, BPFdoor spawns a bind shell or reverse shell.

The researchers have analyzed a number of BPFdoor samples and have discovered that older and newer variants:

• Use code to masquerade as legitimate system services that run bare-metal infrastructure commonly deployed in telecom environments
• Spoof core containerization components
• Are capable of monitoring telecom-native protocols such as the Stream Control Transmission Protocol
• Don’t just rely on magic packets to spring into action, but can also be triggered with packets embedded within seemingly legitimate (encrypted) HTTPS traffic
• Use older or non-standard encryption routines to confuse inspection systems
• Use specially crafted Internet Control Message Protocol (ICMP) payloads to signal back to the operator, but also to pass execution instructions from one compromised host to another

These techniques target different security boundaries, “from TLS inspection at the edge to IDS detection in transit and endpoint monitoring on the host, illustrating a deliberate effort to operate across the full defensive stack,” the researchers pointed out.

A BPFDoor detection script

BPFdoor isn’t the only “magic packet” malware out there: there’s the SEASPY backdoor targeting Barracuda Networks’ Email Security Gateway appliances, and the J-magic backdoor that’s been loaded by attackers into enterprise-grade Juniper router.

Symbiote, a Linux userland-level rootkit/backdoor, is also capable of kernel packet filtering and hiding malicious network traffic from packet capture tools.

In complex and noisy telecom environments, implants like BPFdoor are difficult to catch as – according to Rapid7 – many organizations lack visibility into kernel-level operations, raw packet filtering behavior, and anomalous high-port network activity on Linux systems.

“Unlike most backdoors, [BPFdoor] doesn’t rely on open ports or persistent connections. You’re essentially trying to identify malicious behavior hidden inside otherwise normal network traffic. It’s like looking for a needle that looks and smells like hay, while the haystack itself keeps changing,” Beek added.

Company researchers have therefore created a scanning script designed to detect known/analyzed BPFDoor variants across Linux environments, and are offering it to defenders.

“The script is highly effective at identifying known patterns and behaviours we’ve validated in real samples,” Beek told us. That said, it can miss highly stealthy or evolving variants and may flag unusual but legitimate activity, so it should be used as part of a broader detection strategy.

Unfortunately, the point of this type of threat is that organizations can’t be 100% certain that they’ve removed them all. “These threats shift the conversation from ‘Did we remove it?’ to ‘Do we have enough visibility to trust the system again?’,” he added.

As their research is ongoing, Rapid7 may or may not create a detection tool for similar threats like Symbiote.

“Rather than chasing individual malware families, we’re focusing on detecting the underlying techniques such as kernel-level stealth and covert network behaviour across multiple threats,” Beek concluded.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!