doublepulsar.com Open in urlscan Pro
52.1.147.205  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Open in app

Sign In

Get started


Home
Notifications
Lists
Stories

--------------------------------------------------------------------------------

Write




RESPONSES (2)



What are your thoughts?

Cancel
Respond

Also publish to my profile

There are currently no responses for this story.

Be the first to respond.

Published in

DoublePulsar

You have 2 free member-only stories left this month.

Sign up for Medium and get an extra one



Kevin Beaumont
Follow

May 7

·
3 min read
·

Listen



Save







BPFDOOR — AN ACTIVE CHINESE GLOBAL SURVEILLANCE TOOL

Recently, PwC Threat Intelligence documented the existence of BPFDoor, a passive
network implant for Linux they attribute to Red Menshen, a Chinese threat actor
group.



You can read more in PwC’s great, yearly threat intelligence brief, here.

PwC plan to present their findings in June:



BPFDoor is interesting. It allows a threat actor to backdoor a system for remote
code execution, without opening any new network ports or firewall rules. For
example, if a webapp exists on port 443, it can listen and react on the existing
port 443, and the implant can be reached over the webapp port (even with the
webapp running). This is because it uses a BPF packet filter.



Operators have access to a tool which allows communication to the implants,
using a password, which allows features such as remotely executing commands.
This works over internal and internet networks.

Because BPFDoor doesn’t open any inbound network ports, doesn’t use an outbound
C2, and it renames its own process in Linux (so ps aux, for example, will show a
friendly name) it is highly evasive.

I swept the internet for BPFDoor throughout 2021, and discovered it is installed
at organisations in across the globe— in particular the US, South Korea, Hong
Kong, Turkey, India, Viet Nam and Myanmar, and is highly evasive. These
organisations include government systems, postal and logistic systems, education
systems and more.

Inside those organisations I believe it is likely present on thousands of
systems. The implant appears to be for surveillance purposes.

Per PwC:

> We also identified that the threat actor sends commands to BPFDoor victims via
> Virtual Private Servers (VPSs) hosted at a well-known provider, and that these
> VPSs, in turn, are administered via compromised routers based in Taiwan, which
> the threat actor uses as VPN tunnels. Most Red Menshen activity that we
> observed took place between Monday to Friday (with none observed on the
> weekends), with most communication taking place between 01:00 and 10:00 UTC.
> This pattern suggests a consistent 8 to 9-hour activity window for the threat
> actor, with realistic probability of it aligning to local working hours.

The implant has been in use for many years — over 5 — and has flown under the
radar.

Versions exist for Linux appliances, Solaris SPARC boxes and more. For example,
here’s a Solaris version first uploaded to VirusTotal in 2019:

VirusTotal — File —
dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a



Nextron Systems THOR was detecting the activity over the past year or so,
visible in VirusTotal comments:




INDICATORS OF COMPROMISE AND INDICATORS OF ATTACK

(note that each implant has a unique hash, so hunting for file hashes is a BAD
IDEA).

VirusTotal — Collections — BPFDoor

 * YARA rules:

signature-base/mal_lnx_implant_may22.yar at master · Neo23x0/signature-base
(github.com)

ThreatHunting/BPFDoor-Unknown.yar at master · GossiTheDog/ThreatHunting
(github.com)

 * Files in /dev/shm such as /dev/shm/kdmtmpflush

Sandbox report from 2019 — includes useful commands; Automated Malware Analysis
Report for m8XMnec4Vb.elf — Generated by Joe Sandbox


BPFDOOR SOURCE CODE

Florian found BPFDoor controller source code on VirusTotal:



This is for an older version of the implant, from around 2018. It is available
on Pastebin here: Red Menshen BPFDoor Source Code — Pastebin.com


TECHNICAL ARTEFACT ANALYSIS

Craig Rowland has a great initial look at BPFDoor, from an older version, in
this thread (expand for details).





103



2



103

103

2




SIGN UP FOR DOUBLEPULSAR CYBERSECURITY THREAT INTELLIGENCE


BY DOUBLEPULSAR

Threat Intelligence, from porgs, direct to your email box. Take a look.

Get this newsletter


MORE FROM DOUBLEPULSAR

Follow

Cybersecurity from the trenches, written by Kevin Beaumont. Opinions are of the
author alone, not their employer.

Kevin Beaumont

·Aug 21, 2021


MULTIPLE THREAT ACTORS, INCLUDING A RANSOMWARE GANG, EXPLOITING EXCHANGE
PROXYSHELL VULNERABILITIES

For nearly a month, I have been watching mass in the wild exploitation of
ProxyShell, a set of vulnerabilities revealed by Orange Tsai at BlackHat. These
vulnerabilities are worse than ProxyLogon, the Exchange vulnerabilities revealed
in March — they are more exploitable, and organisations largely haven’t patched.
This post goes…

Proxyshell

7 min read





--------------------------------------------------------------------------------

Share your ideas with millions of readers.

Write on Medium

--------------------------------------------------------------------------------

Kevin Beaumont

·Jul 20, 2021


#HIVENIGHTMARE AKA #SERIOUSSAM — ANYBODY CAN READ THE REGISTRY IN WINDOWS 10

This is the story of how all non-admin users can read the registry — and so
elevate privileges and access sensitive credential information — on various
flavours of Windows 10. It appears this vulnerability has existed for years, and
nobody noticed. In this post I made an exploit to test…

Cybersecurity

4 min read





--------------------------------------------------------------------------------

Kevin Beaumont

·Jul 2, 2021


KASEYA SUPPLY CHAIN ATTACK DELIVERS MASS RANSOMWARE EVENT TO US COMPANIES

Kaseya VSA is a commonly used solution by MSPs — Managed Service Providers — in
the United States and United Kingdom, which helps them manage their client
systems. Kaseya’s website claims they have over 40,000 customers. Four hours
ago, an apparent auto update in the product has delivered REvil ransomware. …

Cyberattack

8 min read





--------------------------------------------------------------------------------

Kevin Beaumont

·Jun 30, 2021


ZERO DAY FOR EVERY SUPPORTED WINDOWS OS VERSION IN THE WILD — PRINTNIGHTMARE

zhiniang peng tweeted out a proof of concept exploit and explainer recently, and
then quickly deleted it. This exploit and discussion contained an unpatched zero
day in all supported and Extended Security Update verrsions of Windows OS.
Unfortunately by this had already been forked on Github by then… and…

Printnightmare

6 min read





--------------------------------------------------------------------------------

Kevin Beaumont

·Jun 8, 2021


THE HARD TRUTH ABOUT RANSOMWARE: WE AREN’T PREPARED, IT’S A BATTLE WITH NEW
RULES, AND IT HASN’T NEAR REACHED PEAK IMPACT.

I’ve talked about ransomware and extortion attacks on organizations for about a
decade. I recently spent a year at Microsoft in Threat Intelligence in Redmond,
which included tracking ransomware gangs. I’ve been on the front lines of
cybersecurity at the coal face — I am again now — for decades…

Ransomware

21 min read





--------------------------------------------------------------------------------

Read more from DoublePulsar


RECOMMENDED FROM MEDIUM

Altcoin Psycho

THE EASIEST WAY TO STAKE PERSISTENCE



V7nc3nz

EXPLOITING A RACE CONDITION VULNERABILITY



Synapse Network

IKONIC PRIVATE WHITELISTING RESULT



QuantumComputingIndia

OVERVIEW OF CLASSICAL AND QUANTUM CRYPTOGRAPHY



Limex

PROGRES UPDATE #2



Cherilyn Barren

{UPDATE} QUIZLAB - CRÉATION DE QUIZ HACK FREE RESOURCES GENERATOR



Alex Smirnoff

I MADE A NEW REPORT



Vchat / VentChat

TERMS OF SERVICE



AboutHelpTermsPrivacy

--------------------------------------------------------------------------------


GET THE MEDIUM APP


Get started

Sign In


KEVIN BEAUMONT



3.1K Followers



Everything here is my personal work and opinions.


Follow



MORE FROM MEDIUM

Stephen Moore

AS NFT SALES CONTINUE TO PLUMMET, IS THE BUBBLE ABOUT TO BURST?



M.G. Siegler

ON THE ROAD… TO THE WORLD’S COVID RECOVERY



Cory Doctorow

ABOUT THOSE KILL-SWITCHED UKRAINIAN TRACTORS



Michael Long

in

Mac O’Clock

MACOS ON IPAD PRO? IT’S COMPLICATED.



Help

Status

Writers

Blog

Careers

Privacy

Terms

About

Knowable

To make Medium work, we log user data. By using Medium, you agree to our Privacy
Policy, including cookie policy.