Red Menshen BPFdoor: Telecom Linux Backdoor Detection and Eradication

Introduction\n\nA months-long investigation by Rapid7 Labs has confirmed what we in the IR community have feared: nation-state actors have successfully embedded sleeper cells within the core of global telecommunications infrastructure. The threat actor, tracked as Red Menshen (China-nexus), is utilizing a highly sophisticated Linux backdoor named BPFdoor. This isn't standard commodity malware; it is a purpose-built tool designed to persist in the "nervous system" of the internet—telecom ISP networks—with near-total stealth.\n\nThe stakes are critical. BPFdoor provides covert access capable of intercepting government communications, redirecting traffic, and facilitating large-scale espionage. Because the malware hooks into the kernel’s Berkeley Packet Filter (BPF), it can sniff network traffic and await "magic packets" without opening a standard listening port, rendering traditional port-scanning defenses useless. Defenders in the telecom sector and those managing critical Linux edge infrastructure must assume breach and actively hunt for this specific TTP.\n\n## Technical Analysis\n\nAffected Products & Platforms:\n* Platform: Linux-based systems, specifically hardened networking appliances (routers, gateways, switches) and Linux servers within telecom service provider environments.\n* Specific Targets: While hardware vendors aren't explicitly named in the advisory as "vulnerable" in the CVE sense, the threat targets interfaces common in Huawei, Cisco, Juniper, and other Linux-based networking gear.\n\nMalware Mechanics (BPFdoor):\n* Attack Vector: Initial access is typically gained via exploiting vulnerabilities in public-facing services or utilizing weak/default credentials on edge devices.\n* Persistence: BPFdoor establishes persistence by modifying crontab, rc.local, or replacing system binaries (like sshd or crond). Some variants deploy as a shared object (/lib/libpam2g.so) or a hidden binary in /dev/shm or /var/tmp.\n* Stealth & C2: The backdoor uses raw socket capabilities and BPF filters to attach to the network interface. It does not bind to a specific port. Instead, it passively inspects all packets for a specific "magic packet" sequence (often arriving on common ports like UDP 53, 123, or TCP 80/443). Upon detection, it activates a reverse shell or bind shell, beaconing out to the attacker.\n* Process Masquerading: To evade casual inspection, the malware often renames its running process to mimic kernel threads, such as [ksoftirqd/0], [kworker/u2:0], or [nfsd].\n\nExploitation Status:\n* Confirmed Active Exploitation: Yes. Rapid7 has observed active command-and-control (C2) traffic and implants in live environments.\n* CVE: This is not a vulnerability exploitation in the traditional sense (e.g., CVE-2024-XXXX), but a malware campaign. However, it relies on the lack of strict eBPF monitoring and poor credential hygiene.\n\n## Detection & Response\n\nDetecting BPFdoor requires moving beyond standard port listeners. Because the malware uses raw sockets, netstat or ss may not show a listening port in the traditional sense, or the process masquerading makes it look like legitimate kernel activity. The following rules focus on the behavioral outliers: process masquerading, execution from hidden memory/file systems, and raw socket usage.\n\n### SIGMA Rules\n\nyaml\n---\ntitle: Potential Linux Kernel Process Masquerading\nid: 8a5f2c13-9b3e-4c1a-8f0d-2e4b5c6d7e8f\nstatus: experimental\ndescription: Detects processes masquerading as kernel threads (e.g., [ksoftirqd]) which are actually userspace binaries, a TTP associated with BPFdoor.\nreferences:\n - https://www.rapid7.com/blog/post/tr-bpfdoor-telecom-networks-sleeper-cells-threat-research-report\nauthor: Security Arsenal\ndate: 2024/05/23\ntags:\n - attack.defense_evasion\n - attack.t1036.004\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n ProcessName|re: '^\[.\]$'\n filter_main_kernel:\n # Legitimate kernel threads usually don't have an executable path in /proc or standard audit logs that points to a file on disk\n # or are spawned by init/kthreadd. This looks for processes with bracket names that HAVE an exe path.\n Exe|startswith: '/'\n condition: selection and not filter_main_kernel\nfalsepositives:\n - Legitimate administrative tools utilizing similar naming conventions (rare)\n - Monitoring agents\nlevel: high\n---\ntitle: Linux Execution from Hidden Directories\nid: 9b6g3d24-0c4f-5d2b-9g1e-3f5c6d7e8f0a\nstatus: experimental\ndescription: Detects execution of binaries from /dev/shm, /var/tmp, or /tmp, common drop locations for BPFdoor components.\nreferences:\n - https://www.rapid7.com/blog/post/tr-bpfdoor-telecom-networks-sleeper-cells-threat-research-report\nauthor: Security Arsenal\ndate: 2024/05/23\ntags:\n - attack.initial_access\n - attack.t1078\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n Image|startswith:\n - '/dev/shm/'\n - '/tmp/'\n - '/var/tmp/'\n filter_common:\n Image|contains:\n - 'python'\n - 'perl'\n - 'node'\n condition: selection and not filter_common\nfalsepositives:\n - Legitimate developer scripts or package installations\nlevel: medium\n\n\n### KQL (Microsoft Sentinel / Defender)\n\nkql\n// Hunt for suspicious shell activity from hidden paths or masquerading processes\n// Applicable for Linux logs ingested via Syslog or CEF\nDeviceProcessEvents\n| where Timestamp > ago(7d)\n| where FileName in~ ('bash', 'sh', 'dash', 'ksh')\n| where FolderPath has_any ('/dev/shm', '/tmp', '/var/tmp')\n| extend ProcessCmdLine = ProcessCommandLine\n| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, FolderPath, ProcessCmdLine\n| order by Timestamp desc\n\n\n### Velociraptor VQL\n\nBPFdoor creates a raw socket to listen for traffic. This is a high-fidelity anomaly on a standard server or router.\n\nvql\n-- Hunt for processes utilizing Raw Sockets (SOCK_RAW)\n-- BPFdoor binds to a raw socket to sniff packets without opening a port.\nSELECT Pid, ProcessName, Family, Type, State, RemoteAddress\nFROM netstat()\nWHERE Type =~ 'raw'\n\n-- Hunt for processes masquerading as kernel threads with bracket names\nSELECT Pid, Name, Exe, Cwd, Username\nFROM pslist()\nWHERE Name =~ '^\[.\]$' AND Exe != '' AND Exe !~ '^/proc/'\n\n\n### Remediation Script (Bash)\n\nRun this script on suspected Linux endpoints to identify and remove the immediate BPFdoor threat.\n\nbash\n#!/bin/bash\n# BPFdoor Triage and Eradication Script\n# Usage: sudo ./check_bpfdoor.sh\n\necho "[+] Checking for suspicious processes (Raw Sockets)..."\n# Identify PIDs using raw sockets (TCP/UDP raw)\nRAW_PIDS=$(ss -lunw | grep RAW | awk '{print $7}' | cut -d',' -f2 | cut -d'=' -f2)\n\nif [ -n "$RAW_PIDS" ]; then\n echo "[!] Warning: Found processes using Raw Sockets. PIDs: $RAW_PIDS"\n for pid in $RAW_PIDS; do\n echo "--- Details for PID $pid ---"\n ps -p $pid -o pid,ppid,cmd,exe\n ls -l /proc/$pid/exe 2>/dev/null\n done\nelse\n echo "[+] No raw socket listeners found via 'ss'."\nfi\n\necho "[+] Checking for process masquerading (kernel thread names) with executable paths..."\n# Look for processes starting with '[' but having a valid executable path on disk\nfor proc in /proc/[0-9]; do\n pid=$(basename "$proc")\n name=$(cat "$proc/comm" 2>/dev/null)\n exe=$(readlink "$proc/exe" 2>/dev/null)\n \n if [[ "$name" == \[\] ]] && [[ -n "$exe" ]]; then\n echo "[!] Suspicious Masquerading Process: PID $pid | Name: $name | Exe: $exe"\n # Optional: Kill process - Uncomment only after verification\n # kill -9 $pid\n fi\ndone\n\necho "[+] Checking common BPFdoor drop locations..."\nLOCATIONS=("/var/tmp/hdsh" "/lib/libpam2g.so" "/dev/shm/.rsync/c" "/tmp/.rsync/c")\nfor loc in "${LOCATIONS[@]}"; do\n if [ -f "$loc" ]; then\n echo "[!] FOUND suspicious file: $loc"\n ls -la "$loc"\n # md5sum "$loc"\n fi\ndone\n\necho "[+] Checking Cron persistence..."\ncrontab -l 2>/dev/null | grep -v "^#"\n\n\n## Remediation\n\n1. Isolate Compromised Assets: Immediately disconnect identified telecom edge devices or servers from the management network to prevent lateral movement.\n2. Process Termination: Kill the suspicious process identified via the VQL or Bash script (e.g., the PID claiming to be [ksoftirqd] but linking to a binary in /tmp).\n3. Remove Persistence:\n * Inspect /var/spool/cron/ and user-specific crontabs for suspicious entries.\n * Check /etc/rc.local, /etc/init.d/, and systemd unit files for unknown or recently modified binaries.\n4. File Deletion: Remove the malware binary (e.g., /var/tmp/hdsh or the hidden library).\n5. Credential Rotation: Assume root credentials have been harvested. Rotate all SSH keys, API keys, and administrative passwords for the affected segment.\n6. Patch & Harden: Ensure all Linux networking appliances are up to date. Disable unused services and enforce strict SSH key management (disable password authentication).\n7. Network Monitoring: Implement deep packet inspection (DPI) or NDR capable of detecting raw socket anomalies or abnormal packet headers associated with "magic packet" activation.\n\n## Related Resources\n\nSecurity Arsenal Penetration Testing Services\nAlertMonitor Platform\nBook a SOC Assessment\nvulnerability-management Intel Hub