Researchers at Trend Micro have uncovered a previously undocumented controller component associated with the BPFDoor backdoor malware involved in ongoing cyber attacks targeting critical sectors across Asia and the Middle East.
The controller has been linked to a string of intrusions targeting telecommunications, finance, and retail industries in South Korea, Hong Kong, Myanmar, Malaysia, and Egypt throughout 2024. The campaign is attributed to a well-known cyber espionage group known as Earth Bluecrow, also tracked as DecisiveArchitect, Red Dev 18, and Red Menshen.
The controller can open a reverse shell and allow lateral movement, enabling attackers to enter deeper into compromised networks, allowing them to control more systems or gain access to sensitive data.
First publicly disclosed in 2022, BPFDoor is a stealthy backdoor that has proven difficult to detect due to its innovative use of the Berkeley Packet Filter (BPF), a kernel-level technology that enables deep inspection of network traffic. The malware listens for specially crafted network "magic packets" that can bypass standard firewalls by interacting directly with the system’s kernel.
"Because of how BPF is implemented in the targeted operating system, the magic packet triggers the backdoor despite being blocked by a firewall," researchers said. "While these features are common in rootkits, they are not typically found in backdoors."
Trend Micro's latest analysis reveals that infected Linux servers are now hosting a novel controller malware used for lateral movement across networks. The controller initiates communication by prompting its operator for a password, which is then cross-verified by the BPFDoor malware against hardcoded credentials. Once authenticated, the malware can execute commands, access other compromised hosts, and even open a reverse shell for real-time control.
This controller supports multiple protocols, including TCP, UDP, and ICMP, and features an optional encrypted mode for secure communication. It also has direct mode, enabling attackers to directly connect to infected systems and execute commands remotely.
"BPF opens a new window of unexplored possibilities for malware authors to exploit," Trend Micro warned. "As threat researchers, it is a must to be equipped for future developments by analyzing BPF code, which will help protect organizations against BPF-powered threats."
