The Attacker

Red Menshen, a threat organization based in China, has been observed using the BPFDoor, it is a custom backdoor to target Middle Eastern and Asian telecommunication corporations as well as organizations in the government, education, and logistics sectors into 2021. TCP, UDP, and ICMP are just a few of the protocols that this backdoor support, for interacting with a C2, giving the threat actor a variety of ways to interact with the implant.

The majority of Red Menshen activity occurred between weekdays with no activity recorded on weekends. with the majority of communication occurring between 01:00 and 10:00 UTC. This trend implies that the threat actor has a regular 8 to 9-hour activity window, that is likely to coincide with local working hours.

How did it originate?

The threat actor employs a wide range of methods in its post-exploitation phase. Custom variants of the shared tool Mangzamel (including Golang variants), custom variants of Gh0st, and open source tools like Mimikatz and Metasploit to help in its lateral movement across Windows PCs are also included and the threat actor delivers orders to BPFDoor victims using Virtual Private Servers (VPSs) hosted by a well-known provider, and that these VPSs are managed through hacked routers headquartered in Taiwan, which the threat actor utilizes as VPN tunnels.

Investigation analysis of BPFDoor

• BPFdoor, a freshly found backdoor trojan, has been silently attacking Linux and Solaris computers for more than five years.
• BPFdoor is a Linux/Unix backdoor that allows threat actors to connect to a Linux shell remotely in order to obtain total access to a compromised device.
• BPFdoor does not require the opening of ports, is unaffected by firewalls, and can respond to orders from any IP address on the internet, making it a perfect weapon for corporate espionage and persistent attacks.
• BPFdoor is a passive backdoor, which means it can listen on one or more ports for incoming packets from one or more hosts, which attackers can exploit to remotely deliver orders to the infiltrated network.
• The virus employs a Berkeley Packet Filter (BPF) sniffer, which operates at the network layer interface and can view all network activity and transmit packets to any destination.
• BPF does not follow any firewall restrictions due to its low-level location.
• BPFdoor solely parses ICMP, UDP, and TCP packets, looking for a certain data value and, for the latter two, a password.
• What distinguishes BPFDoor is its ability to monitor any port for the magic packet, even if such ports are utilized by legal services such as web servers, FTP, or SSH.
• If the TCP and UDP packets include the correct “magic” data and password, the backdoor will execute a supported operation, such as establishing a bind or reverse shell.
• The study discovered BPFdoor activity on networks of companies in a variety of locales, including the United States, South Korea, Hong Kong, Turkey, India, Vietnam, and Myanmar.
• It achieves root-level permissions by exploiting CVE-2019-3010 – a vulnerability in the XScreenSaver component of the Solaris operating system.

Malware Operation

• Residing in system memory, it performs anti-forensics actions to delete the process environment and albeit unsuccessfully as it leaves it empty.
• Loads a Berkeley Packet Filter (BPF) sniffer, allowing it to view packets in front of any locally operating firewalls.
• When a relevant packet is received, the ‘iptables’ rules are modified to enable adversary access across the local firewall.
• Uses a moniker similar to a common Linux system daemon to disguise the binary.
• It is renamed and executed as /dev/shm/kdmtmpflush.
• Before destroying the binary, it changes the date to October 30, 2008 and this method is called timestomping.

time-stomping
The malware includes many predefined names that correspond to command strings included within pertaining packets.
To construct a bind shell on ports 42391 through 42491, use justtryit, justrobot, and justforfun.
Foolproof BPFDoor with AccuKnox
AccuKnox has Policy-Templates. It has policies for CVEs and Compliances and etcetera. For this particular vulnerability we are going to pick the policy from that policy template. Now let’s reproduce the environment. This malware works on any linux system. For reproducing I am going to use an Ubuntu image.

We can use this deployment to test the malware. Save this as an YAML file and apply using “kubectl apply -f bpfdoor-deployment.yaml” After that it will be deployed in your cluster.

• The initial point of the malware is that it is creating the file in the system when it’s deployed “/dev/shm/kdmtmpflush” and that’s how it’s designed.
• With KubeArmor blocking that malware is very simple with one policy. Let’s take that policy from the policy templates.

Here in the policy we added Here in the policy we added name: ksp-bpfdoor-malware

• To apply the policy run the below command.

• Here in the policy we added

• As we know that this is the initial point and that’s why we added the “/dev/shm/kdmtmpflush” in process and “/var/run/haldrund.pid” this process ID is created after the execution of “kdmtmpflush” binary.
• We have created another policy for other variants observed. That policy is a very lengthy one to show here. To view the policy click here. To apply the policy run below command.

• But with KubeArmor we are blocking that in the initial stage.
• This is because KubeArmor is using BPF to track sys calls and also that malware is made of BPF too.
• Now we have created the deployment and we have a policy. Let’s see that in action.
• After entering into the pod Clone this repository “https://github.com/yasin-cs-ko-ak/bpfdoor-malware.git”

Compile the “bpfdoor.c” file and execute as shown below.

This is before applying the policy:

• Here there is no file generated and we haven’t executed any malwares yet.

This is after applying the policy:

• Here we have compiled the C code into binary and executed. But the binary did not run.
  Because we are applying the policy into the infected container.
• Now let’s look at the karmor logs and see if it is actually blocking it or not.

karmor logs:

• Here we got a log for initial access of the malware. The malware rename itself and copy into the “/dev/shm/” directory as “kdmtmpflush”
• It got blocked by KubeArmor and the policy we applied.

• Here the malware tries to copy itself to the directory “/dev/shm/” and it’s got blocked.
• Here the malware changes its permission to “755” so it can be read and execute access for everyone and also write access for the owner of the file. 
• This syscall also blocked by KubeArmor.

• And finally the malware executes itself via “/dev/shm/kdmtmpfluh –init” to run on the system.
• That syscall also blocked by KubeArmor.
• This is how KubeArmor protects our workloads and systems from malware.
• These logs prove how KubeArmor is effective and important for organization.

Conclusion

BPFDoor malware is a stealthy malware that has been hidden for almost five years because of the BPF capabilities. Predominantly BPFDoor malware has escaped most of the firewalls and all defensive systems. Because it works on kernel level and majority of firewalls do not have the visibility at Kernel level.

Hence, AccuKnox Enterprice solution comes into action of protect cloud-native workloads in K8s, VMs and baremetal environments at Static and Runtime levels. KubeArmor uses eBPF capabilities to track syscalls and defend unwanted syscalls made by malwares and threats.

Book a demo at AccuKnox for production grade security and protection for your organization.

Additional resources:

1. BPFDoor: Stealthy Linux malware bypasses firewalls for remote access
2. https://pastebin.com/kmmJuuQP
3. https://www.virustotal.com/gui/file/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a/detection/f-dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a-1567566897
4. https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896
5. https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/
6. https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/

AccuKnox delivers full Enterprise-ready features and this is depicted below.

Reach out to us and we will be glad to lend you a hand in your journey from Zero to Zero trust.

🌍Home:  Zero Trust Cloud-Native Application Protection Platform
📄Help: Intro – AccuKnox
📝Blogs:  Blog