This Linux backdoor utilizes Berkeley Packet Filtering (BPF) technology to monitor network traffic at the kernel level, allowing it to remain hidden from conventional security scans while maintaining persistent access to compromised systems. Trend Micro researchers noted the threat actor behind these attacks as Earth Bluecrow (also tracked as Red Menshen), an advanced persistent threat (APT) group that has been deploying BPFDoor for cyberespionage activities. The malware’s design enables it to inject BPF filters into the operating system’s kernel, where it can inspect network packets and activate upon receiving specially crafted “magic sequences” – predetermined byte patterns that trigger specific backdoor functions. For network defenders, detecting BPFDoor remains challenging due to its ability to operate across multiple protocols (TCP, UDP, and ICMP) and the ease with which attackers can modify the magic byte sequences used for activation. The malware’s ability to operate without listening on network ports makes it particularly difficult to detect using traditional security measures such as port scans, allowing it to remain undetected for extended periods. The backdoor creates a persistent, nearly invisible channel for threat actors to access sensitive data and systems over extended periods, making it an ideal tool for long-term espionage operations. As this threat continues to evolve, organizations must implement advanced monitoring solutions capable of detecting the specific patterns associated with BPFDoor communications and activation sequences. A sophisticated backdoor malware known as BPFDoor has been actively targeting organizations across Asia, the Middle East, and Africa, leveraging advanced stealth techniques to evade detection. BPFDoor has been observed targeting telecommunications, finance, and retail sectors with recent attacks documented in South Korea, Hong Kong, Myanmar, Malaysia, and Egypt. This functionality allows threat actors to dig deeper into compromised networks, facilitating lateral movement and access to additional systems and sensitive data. The controller sends activation packets containing magic bytes (such as 0x5293 for TCP or 0x7255 for UDP), the remote IP address and port for the target to connect to, and an authentication password. This command instructs the controller to request a reverse shell connection from the infected machine (192.168.32.156) back to the attacker’s machine on port 8000. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. This rootkit-like capability allows BPFDoor to blend into the system, changing process names and employing other evasion tactics to avoid detection. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis.
This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 14 Apr 2025 22:45:17 +0000