A newly discovered controller linked to the BPFDoor backdoor is enabling stealthy lateral movement across Linux servers, as part of a wave of cyberattacks impacting telecommunications, finance, and retail organizations across South Korea, Hong Kong, Myanmar, Malaysia, and Egypt throughout 2024.
Researchers revealed that the new component can open a reverse shell on compromised systems, allowing attackers to move deeper within networks, take control of additional machines, and access sensitive information.
The activity is tentatively linked to a group known as Earth Bluecrow, although the attribution remains uncertain due to the public leak of BPFDoor’s source code in 2022, which may have allowed other threat actors to adopt and modify it.
Initially exposed in 2022, BPFDoor is a Linux-based malware designed for long-term espionage, providing attackers with persistent, covert access to victim networks. Its name comes from its use of the Berkeley Packet Filter (BPF), a mechanism that enables monitoring and filtering of network traffic at the kernel level. Through BPF, the malware listens for a specific “magic byte” within network packets, triggering its functionality even when a system’s firewall would normally block such traffic.
This advanced technique is more commonly seen in rootkits rather than traditional backdoors, making BPFDoor particularly effective for silent, long-term infiltration.
The latest findings show that once inside a compromised environment, the controller component enables the attacker to connect to other machines within the network. Before interacting with BPFDoor, the controller requires a password, which must match a hard-coded list within the malware, adding a further layer of access control.
Based on the password and command-line options provided, the malware can perform various actions:
-
Open a reverse shell for direct command execution,
-
Redirect incoming connections to a shell on a specific port,
-
Validate the presence and activity of the backdoor.
The system also supports TCP, UDP, and ICMP protocols for communication and offers an optional encryption feature to secure interactions. Additionally, it features a direct connection mode, allowing attackers with the correct password to immediately access a compromised host without needing to send a “magic packet.”
Experts warn that the use of BPF by malware developers introduces new threats that could bypass conventional security measures, underscoring the need for defenders to deepen their understanding of BPF-based attack techniques to better anticipate and mitigate future threats.
