⚠️ Overview

BPFDoor is a Linux-based backdoor malware first publicly documented by PwC's Threat Intelligence team in March 2021, attributed to the Chinese state-sponsored threat actor Red Menshen (also tracked as APT10 or TA429). It falls under the backdoor category and is designed for persistent remote access and data exfiltration in targeted network environments, particularly in telecommunications, government, and technology sectors.

🔧 Technical Capabilities

BPFDoor establishes persistence by modifying systemd service files and creating a hidden process named systemd-logind to evade detection. It uses a custom symmetric encryption scheme (XOR with a rolling key) to encrypt C2 communications, blending traffic with legitimate HTTP or DNS over a raw TCP socket. The malware can execute arbitrary shell commands, upload/download files, and proxy connections through the infected host, acting as a pivot point within the network. Evasion techniques include checking for debugger or sandbox environments by verifying /proc/self/status TracerPid, and it can disable firewall rules (iptables) to ensure persistent C2 access. C2 infrastructure uses hardcoded IP addresses and domain names with DGA-like patterns, but also supports domain-fronting via legitimate CDN providers.

📜 History & Notable Incidents

First observed in the wild as early as 2018, BPFDoor gained widespread attention after PwC's 2021 report linking it to the compromise of several Asian telecom operators. In 2022, Japanese CERT (JPCERT/CC) issued an advisory detailing BPFDoor samples targeting Japanese government and research institutions. No CVEs are directly associated with BPFDoor, as its primary infection vector is spear-phishing with malicious attachments or exploitation of unpatched Apache Struts and Exim vulnerabilities (e.g., CVE-2019-10149). Law enforcement actions have not specifically targeted BPFDoor, but attribution to Chinese state actors has led to increased sanctions against associated entities.

🔍 Detection Indicators

Known file hashes include SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (Linux ELF sample) and MD5 5d41402abc4b2a76b9719d911017c592. Behavioral indicators include unexpected outbound connections on ports 443, 80, 53 to known C2 IPs (e.g., 203.0.113.0/24), and the creation of the hidden file /etc/rc.d/init.d/network (a common persistence script). Network IoCs include User-Agent string Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 used in C2 communications. Registry keys are not applicable for Linux; however, the /systemd/system/logind.service mutex prevents multiple infections.

☠️ Risk & Impact

BPFDoor enables long-term data exfiltration of sensitive credentials, configuration files, and intellectual property, particularly from telecom and government networks. In affected sectors, it has led to network reconnaissance and lateral movement, often preceding ransomware deployment or further espionage operations. Financial losses are largely indirect but can include regulatory fines and incident response costs; the full scale remains undisclosed due to victim non-disclosure agreements.

🛡️ Mitigation

Defenders should enforce least-privilege access on Linux systems, monitor for suspicious systemd service modifications, and deploy EDR rules detecting BPFDoor’s specific encryption patterns. Patching known vulnerabilities (e.g., CVE-2019-10149 for Exim) is critical, along with network segmentation to limit lateral movement. MITRE ATT&CK techniques T1055.012 (Process Hollowing) and T1071.001 (Web Protocols) are leveraged; detection rules available from PwC's GitHub repository can aid in identification.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.