Cybersecurity researchers have discovered a new component of the controller associated with the famous back called Bpfdoor Within the framework of cyber -departments aimed at the telecommunications, finance and retail sector in South Korea, Hong Kong, Myanmar, Malaysia and Egypt in 2024.
“The controller can open the backward shell”, “Trend Micro Descrinere Fernando Mercês” – Note In a technical report published earlier the week. “This can allow lateral motion, allowing the attackers to enter deeper into the impaired networks, allowing them to control more systems or access sensitive data.
The company has been associated with a group of threats it tracks as The land is blue, which is also known as resisivearchitect, Red Dev 18 and Red Menshen.
BPFDOOR – This is the back of Linux which First came to light In 2022, malicious software is placed as a long -term spyware tool for use in the Organization in Asia and the Middle East, at least a year before the public disclosure.
The most distinctive aspect of malicious software is that it creates a stable yet trusted channel for threat to the control of impaired workstations and access to sensitive data over a long period of time.
Malicious software gets its name from using the Berkeley package package (Bpf(
“Because the BPF is implemented in the target operating system, Magic Packet causes the back, despite the fact that its firewall is blocked,” said Mers. “As the package reaches the BPF kernel engine, it activates the resident. While these features are common in rootkits, they are not usually found in the rear rooms.”
The latest Trend Micro analysis has shown that Linux target servers were also infected with previously unregistered malicious programs used to access other affected hosts on the same network after side motion.
“Before sending one of the” charming packages “checked by BPF filter, inserted by BPFdoor malicious software, the controller asks for a password that will also be checked on the BPFDOOR side,” Mercês explained.
In the next phase, the controller directs the compromised machine to perform one of the above -based passwords and used command line parameters –
- Open the reverse shell
- Redirect new connections to a shell on a certain ports, or
- Confirm that the back is active
It should be noted that the password sent by the controller must match one of the solid values in the BPFDOOR sample. The controller, in addition to supporting TCP, UDP and ICMP protocols to manage infected hosts, may also include an additional encrypted mode for safe communication.
In addition, the controller supports what is called a direct mode that allows the attackers to directly connect to the infected machine and get a shell for remote access – but only when providing the required password.
“BPF opens a new window of unexplored opportunities for the operation of the authors of malware,” said Mercês. “As a threat researchers, it is necessary to be equipped for future developments by analyzing the BPF Code, which will help protect organizations from the threats working on the BPF.”
