Introduction
Recent research from Rapid7 Labs has uncovered seven previously undocumented variants of the BPFDoor malware, a sophisticated backdoor specifically designed to evade traditional network security controls. Unlike typical malware that operates in user space, BPFDoor leverages Berkeley Packet Filters (BPFs) to execute directly within the operating system kernel, creating an exceptionally stealthy mechanism for unauthorized access that activates only upon receiving specially crafted "magic packets" over stateless protocols.
As static IoCs for earlier BPFDoor variants have been widely deployed, threat actors have adapted their techniques, developing variants that can bypass signature-based detection. These new implementations demonstrate the continued evolution of APT tooling designed specifically to maintain persistence in compromised Linux environments—particularly those in critical infrastructure, government, and enterprise sectors.
Defenders must urgently update their detection capabilities, as BPFDoor's kernel-level operation allows it to remain dormant until activated, making it nearly invisible to standard process monitoring and network-based security solutions.
Technical Analysis
Affected Platforms
- Linux distributions: CentOS, Ubuntu, Debian, Red Hat Enterprise Linux (RHEL), Oracle Linux
- Affected architectures: x86_64, ARM, and MIPS variants observed
Malware Characteristics
BPFDoor (also known as BPFInjector) is a kernel-level backdoor that utilizes Berkeley Packet Filter (BPF) technology to:
- Intercept and inspect network packets at the kernel level
- Hide its presence by hooking into the network stack before packets reach user-space monitoring tools
- Remain dormant until receiving a specially crafted "magic packet" via stateless protocols (UDP, TCP, or ICMP)
- Execute commands or establish reverse shells upon activation
Attack Chain
- Initial Access: Gained through credential theft, vulnerability exploitation, or supply-chain compromise
- Persistence Installation: The malware installs a kernel module or modifies system binaries to load its BPF filter
- Kernel-Level Operation: BPFDoor registers a BPF program with the kernel to inspect incoming traffic
- C2 Activation: Attackers send "magic packets" containing specific payload patterns to activate the backdoor
- Command Execution: Upon activation, the backdoor executes arbitrary commands or establishes reverse shells
Exploitation Status
- Active exploitation confirmed by Rapid7 in real-world environments
- No CVE assigned as this is malware, not a vulnerability in Linux or BPF itself
- Variants observed in the wild across multiple geographic regions
- CISA KEV status: Not currently listed, but represents significant APT capability
Stealth Characteristics
BPFDoor's effectiveness stems from:
- Operating within kernel space, bypassing user-space monitoring
- Using common system processes to execute malicious payloads
- Leveraging legitimate BPF functionality, making traffic appear normal
- Implementing encryption for command-and-control communications
- Utilizing stateless protocols that bypass standard firewall state tracking
Detection & Response
Given BPFDoor's kernel-level operation and stealthy nature, detection requires a multi-layered approach combining endpoint telemetry, network analysis, and kernel module inspection.
SIGMA Rules
YAML
---
title: Potential BPFDoor Linux Backdoor - Suspicious BPF Program Loading
id: b3c2e7d1-4a5f-4b8e-9c2d-3e4f5a6b7c8d
status: experimental
description: Detects potential loading of BPF programs for backdoor purposes based on command line patterns and process behavior.
references:
- https://www.rapid7.com/blog/post/tr-new-whitepaper-stealthy-bpfdoor-variants
author: Security Arsenal
date: 2023/11/07
tags:
- attack.persistence
- attack.t1547.006
- attack.privilege_escalation
- attack.t1068
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith:
- '/insmod'
- '/modprobe'
- '/kmod'
CommandLine|contains:
- '.ko'
CommandLine|matches:
- '.*bpf.*'
condition: selection
falsepositives:
- Legitimate BPF-based monitoring tools (bcc, bpftrace)
- System administrators loading legitimate kernel modules
level: high
---
title: BPFDoor Network Activity - Suspicious Stateless Protocol Usage
id: a8d7e4c5-3b2a-4c9f-8e2d-1f3a4b5c6d7e
status: experimental
description: Detects network patterns associated with BPFDoor magic packet activation and C2 communications.
references:
- https://www.rapid7.com/blog/post/tr-new-whitepaper-stealthy-bpfdoor-variants
author: Security Arsenal
date: 2023/11/07
tags:
- attack.command_and_control
- attack.t1071.004
- attack.defense_evasion
- attack.t1055
logsource:
product: linux
category: network_connection
detection:
selection:
Protocol|contains:
- 'UDP'
- 'ICMP'
DestinationPort:
- 80
- 443
- 22
- 53
- 123
- 631
- 1900
Initiated: 'true'
filter:
Image|endswith:
- '/systemd-resolved'
- '/dhclient'
- '/sshd'
- '/ntpd'
- '/chronyd'
- '/avahi-daemon'
condition: selection and not filter
falsepositives:
- Legitimate system services using standard ports
- Authorized administrative activities
level: medium
---
title: BPFDoor File Artifacts - Suspicious Binary Locations
id: d5e6f7a8-2c1b-4d0e-9f1c-2e3d4e5f6a7b
status: experimental
description: Detects creation of suspicious files in locations commonly used by BPFDoor variants for persistence.
references:
- https://www.rapid7.com/blog/post/tr-new-whitepaper-stealthy-bpfdoor-variants
author: Security Arsenal
date: 2023/11/07
tags:
- attack.persistence
- attack.t1543.002
- attack.defense_evasion
- attack.t1564.001
logsource:
product: linux
category: file_creation
detection:
selection_paths:
TargetFilename|contains:
- '/dev/shm/'
- '/tmp/'
- '/var/tmp/'
- '/lib/udev/'
- '/etc/cron.d/'
- '/etc/cron.hourly/'
- '/etc/cron.daily/'
selection_extensions:
TargetFilename|endswith:
- '.ko'
- '.so'
- '.sh'
- 'crontab'
filter:
Image|endswith:
- '/apt-get'
- '/yum'
- '/dnf'
- '/dpkg'
- '/rpm'
condition: selection_paths and selection_extensions and not filter
falsepositives:
- Legitimate package management operations
- Authorized administrative scripts
level: medium
KQL for Microsoft Sentinel/Defender
KQL — Microsoft Sentinel / Defender
// Hunt for BPFDoor-related suspicious kernel module loading
let TimeRange = 1d;
let BPFKeywords = dynamic(["bpf", "filter", "socket", "packet", "inject", "hook"]);
LinuxAudit
| where TimeGenerated > ago(TimeRange)
| where EventType == "SYSCALL" and Syscall in~ ("init_module", "finit_module", "delete_module")
| extend FileName = tostring(coalesce(ExtractFileName(Arguments), ""))
| where FileName has_any (BPFKeywords) or ProcessName has_any (BPFKeywords)
| project TimeGenerated, HostName, UserName, ProcessName, Syscall, Arguments, FileName
| order by TimeGenerated desc
;
// Hunt for suspicious network connections potentially related to BPFDoor activation
LinuxSyslog
| where TimeGenerated > ago(TimeRange)
| where ProcessName !in~ ("sshd", "systemd-resolved", "dhclient", "ntpd", "chronyd", "avahi-daemon")
| extend MessageData = parse_syslog_facility_severity(MessageText)
| where MessageData has_any ("UDP", "ICMP") and
(MessageData has_any (":80", ":443", ":22", ":53", ":123", ":631", ":1900"))
| project TimeGenerated, HostName, ProcessName, MessageText
| order by TimeGenerated desc
;
// Hunt for BPFDoor file artifacts in suspicious directories
DeviceFileEvents
| where Timestamp > ago(TimeRange)
| where FolderPath has_any ("/dev/shm/", "/tmp/", "/var/tmp/", "/lib/udev/")
| where InitiatingProcessAccountName != "root" or
(InitiatingProcessFileName !in~ ("yum", "apt", "dnf", "dpkg", "rpm"))
| where FileName endswith_any (".ko", ".so", ".sh")
| project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessFileName,
InitiatingProcessAccountName, SHA256, MD5
| order by Timestamp desc
Velociraptor VQL for Linux Endpoint Hunting
VQL — Velociraptor
-- Hunt for suspicious kernel modules that may be related to BPFDoor
SELECT * FROM foreach(
SELECT Pid, Exe, CommandLine, Username FROM pslist()
WHERE Exe =~ '(insmod|modprobe|kmod|depmod)'
AND (CommandLine =~ '\.ko' OR CommandLine =~ 'bpf'),
{
SELECT Pid, Exe, CommandLine, Username,
glob(globs='/lib/modules/**/*.ko') AS LoadedModules
FROM scope()
}
)
-- Hunt for BPFDoor-related file artifacts in suspicious locations
SELECT FullPath, Size, Mode.Mtime AS ModTime,
hash(path=FullPath) AS FileHash
FROM glob(globs=['/dev/shm/*', '/tmp/*', '/var/tmp/*', '/lib/udev/*'])
WHERE NOT FullPath =~ '\.(log|txt|tmp)$'
AND (FullPath =~ '\.ko$' OR FullPath =~ '\.so$' OR FullPath =~ '\.sh$')
-- Hunt for unusual network connections potentially associated with BPFDoor
SELECT RemoteAddr, RemotePort, State, Pid, ProcessName, CommandLine
FROM netstat()
WHERE State =~ 'ESTABLISHED'
AND (RemotePort IN (80, 443, 22, 53, 123, 631, 1900) OR RemotePort > 1024)
AND NOT ProcessName IN ('sshd', 'systemd-resolved', 'dhclient', 'ntpd', 'chronyd', 'avahi-daemon')
-- Hunt for suspicious cron jobs potentially used for BPFDoor persistence
SELECT CronPath, CronUser, CronCommand
FROM crontab()
WHERE CronCommand =~ '(wget|curl|nc|bash|sh|perl|python)'
AND (CronCommand =~ 'http' OR CronCommand =~ '/tmp' OR CronCommand =~ '/dev/shm')
Remediation Script (Bash)
Bash / Shell
#!/bin/bash
# BPFDoor Detection and Remediation Script
# Version: 1.0
# Author: Security Arsenal
# Date: 2023/11/07
set -e
# Color codes for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color
# Function to print colored output
print_status() {
echo -e "${2}${1}${NC}"
}
print_status "=== BPFDoor Detection and Remediation Script ===" "$GREEN"
print_status "Starting analysis at $(date)" "$YELLOW"
# Check if running as root
if [ "$(id -u)" -ne 0 ]; then
print_status "Error: This script must be run as root" "$RED"
exit 1
fi
# Create a log file
LOG_FILE="/var/log/bpfdoor_remediation_$(date +%Y%m%d_%H%M%S).log"
exec > >(tee -a "$LOG_FILE")
print_status "Logging to $LOG_FILE" "$YELLOW"
# Function to check for loaded BPF programs
check_bpf_programs() {
print_status "\n--- Checking for loaded BPF programs ---" "$GREEN"
if command -v bpftool &> /dev/null; then
print_status "Listing active BPF programs:" "$YELLOW"
bpftool prog show
bpftool prog list
echo "
# Check for BPF programs with suspicious characteristics
print_status "Checking for suspicious BPF program types:" "$YELLOW"
bpftool prog show | grep -i "type" || echo "No suspicious BPF programs found"
else
print_status "Warning: bpftool not available. Install with: apt install linux-tools-$(uname -r)" "$YELLOW"
print_status "Falling back to /proc filesystem inspection:" "$YELLOW"
if [ -d "/sys/kernel/debug/tracing" ]; then
ls -la /sys/kernel/debug/tracing/ 2>/dev/null || echo "Cannot access debug filesystem"
fi
fi
}
# Function to check loaded kernel modules
check_kernel_modules() {
print_status "\n--- Checking loaded kernel modules ---" "$GREEN"
# List all loaded modules
print_status "All loaded kernel modules:" "$YELLOW"
lsmod | tee /tmp/lsmod_output.txt
# Check for suspicious modules
print_status "\nChecking for suspicious kernel modules:" "$YELLOW"
grep -i "bpf\|filter\|socket\|hook" /tmp/lsmod_output.txt || echo "No obviously suspicious modules found"
# Check module signatures
print_status "\nChecking for unsigned modules:" "$YELLOW"
for module in $(cut -d' ' -f1 /tmp/lsmod_output.txt | tail -n +2); do
if ! modinfo "$module" 2>/dev/null | grep -q "sig_key"; then
echo "WARNING: Module '$module' may be unsigned"
fi
done
}
# Function to check for suspicious files in common BPFDoor locations
check_suspicious_files() {
print_status "\n--- Checking for suspicious files ---" "$GREEN"
# Define suspicious directories and patterns
SUSPICIOUS_DIRS=("/dev/shm" "/tmp" "/var/tmp" "/lib/udev" "/run/udev")
SUSPICIOUS_PATTERNS=("*.ko" "*.so" "*.sh" ".*.sh" "crontab.*")
for dir in "${SUSPICIOUS_DIRS[@]}"; do
if [ -d "$dir" ]; then
print_status "Checking $dir:" "$YELLOW"
for pattern in "${SUSPICIOUS_PATTERNS[@]}"; do
find "$dir" -name "$pattern" -type f -ls 2>/dev/null || true
done
fi
done
# Check for recently modified files in system directories
print_status "\nChecking for recently modified system files (last 7 days):" "$YELLOW"
find /etc /lib /usr/lib -name "*.so" -o -name "*.ko" | xargs -I {} find {} -mtime -7 -ls 2>/dev/null | head -20
}
# Function to check for suspicious cron jobs
check_cron_jobs() {
print_status "\n--- Checking cron jobs for suspicious entries ---" "$GREEN"
# Check system crontab
print_status "System crontab:" "$YELLOW"
cat /etc/crontab 2>/dev/null || echo "Cannot read /etc/crontab"
# Check cron directories
for dir in /etc/cron.*; do
if [ -d "$dir" ]; then
print_status "\nContents of $dir:" "$YELLOW"
ls -la "$dir" 2>/dev/null || true
for file in "$dir"/*; do
if [ -f "$file" ]; then
print_status "Content of $file:" "$YELLOW"
cat "$file" 2>/dev/null || true
fi
done
fi
done
# Check user crontabs
print_status "\nChecking user crontabs:" "$YELLOW"
for user in $(cut -d: -f1 /etc/passwd); do
crontab -u "$user" -l 2>/dev/null && print_status "User $user has a crontab" "$YELLOW"
done
}
# Function to check for suspicious network connections
check_network_connections() {
print_status "\n--- Checking for suspicious network connections ---" "$GREEN"
# Check established connections to common ports
print_status "Established connections to common ports (80, 443, 22, 53, 123):" "$YELLOW"
ss -tnp | grep ESTABLISHED | grep -E ':(80|443|22|53|123)\s' || echo "No suspicious connections found"
# Check for unusual processes listening on network ports
print_status "\nProcesses listening on network ports:" "$YELLOW"
ss -tulpn | head -20
}
# Function to check process tree for suspicious processes
check_processes() {
print_status "\n--- Checking process tree for suspicious processes ---" "$GREEN"
# Check for processes with suspicious names
print_status "Processes with suspicious names:" "$YELLOW"
ps aux | grep -E '(insmod|modprobe|kmod|depmod)' | grep -v grep || echo "No suspicious processes found"
# Check for processes with unusual parent-child relationships
print_status "\nChecking for processes with unusual parent processes:" "$YELLOW"
ps auxf | awk '{if ($3 != $8 && $3 != $2) print}' | head -20
}
# Function to generate a system snapshot for forensic analysis
generate_snapshot() {
print_status "\n--- Generating system snapshot ---" "$GREEN"
SNAPSHOT_DIR="/tmp/bpfdoor_snapshot_$(date +%Y%m%d_%H%M%S)"
mkdir -p "$SNAPSHOT_DIR"
print_status "Snapshot directory: $SNAPSHOT_DIR" "$YELLOW"
# Collect system information
uname -a > "$SNAPSHOT_DIR/uname.txt"
cat /etc/os-release > "$SNAPSHOT_DIR/os-release.txt"
ps aux > "$SNAPSHOT_DIR/ps.txt"
ss -tulnp > "$SNAPSHOT_DIR/ss.txt"
lsmod > "$SNAPSHOT_DIR/lsmod.txt"
netstat -tulnp > "$SNAPSHOT_DIR/netstat.txt"
# List loaded kernel modules
if command -v bpftool &> /dev/null; then
bpftool prog show > "$SNAPSHOT_DIR/bpftool_prog.txt" 2>&1 || true
bpftool map show > "$SNAPSHOT_DIR/bpftool_map.txt" 2>&1 || true
fi
# List running services
systemctl list-units --type=service --state=running > "$SNAPSHOT_DIR/services.txt" 2>&1 || true
# List open files
lsof > "$SNAPSHOT_DIR/lsof.txt" 2>&1 || true
# List scheduled tasks
crontab -l > "$SNAPSHOT_DIR/crontab.txt" 2>&1 || true
print_status "Snapshot created in $SNAPSHOT_DIR" "$YELLOW"
print_status "Please archive this directory for further analysis if needed" "$YELLOW"
}
# Main execution
print_status "Starting comprehensive BPFDoor detection analysis..." "$GREEN"
check_bpf_programs
check_kernel_modules
check_suspicious_files
check_cron_jobs
check_network_connections
check_processes
generate_snapshot
print_status "\n=== Analysis completed ===" "$GREEN"
print_status "Log file saved to: $LOG_FILE" "$YELLOW"
print_status "If you found any suspicious indicators, please investigate further and consider engaging your security team or incident responders." "$YELLOW"
Remediation
Immediate Actions
-
Install bpftool for enhanced BPF program visibility: bash
For Debian/Ubuntu systems
apt-get update && apt-get install -y linux-tools-$(uname -r) linux-tools-generic bpftool
For RHEL/CentOS systems
Bash / Shell
yum install -y bpftool
-
Audit BPF programs to identify any unexpected or suspicious BPF programs: bash
List all BPF programs
bpftool prog list
Get detailed information about each program
bpftool prog show
Remove suspicious programs (verify before removing)
bpftool prog rm id <program_id>
-
Inspect kernel modules for unauthorized or suspicious modules: bash
List all loaded modules
lsmod
Check module information and signatures
modinfo <module_name>
Unload suspicious modules (verify before removing)
rmmod <module_name>
-
Update system binaries and ensure integrity: bash
Verify package integrity
debsums -c (Debian/Ubuntu) rpm -Va (RHEL/CentOS)
Update system packages
apt-get update && apt-get upgrade -y (Debian/Ubuntu)
Bash / Shell
yum update -y (RHEL/CentOS)
Long-term Mitigation
-
Implement eBPF monitoring: Deploy tools to monitor and alert on eBPF program loading and activity.
-
Kernel module signing: Enable and require signed kernel modules to prevent unauthorized module loading.
-
File integrity monitoring: Deploy FIM solutions to detect unauthorized changes to system binaries and configuration files.
-
Network monitoring: Implement deep packet inspection with visibility into kernel-level packet handling.
-
Least privilege enforcement: Strictly limit root access and implement sudo policies with detailed logging.
Additional Resources
- Rapid7 BPFDoor Research
- CISA Alert AA20-301A: Techniques Used by Nation-State Actors
- Linux Kernel Security Documentation
Related Resources
Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub
sigma-rulekql-detectionthreat-huntingdetection-engineeringsiem-detectionbpfdoorlinux-backdoorberkeley-packet-filters
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.