BPFDoor
Associated Software Descriptions |
|
| Name | Description |
|---|---|
| JustForFun | (Citation: Harries JustForFun 2022) |
| Backdoor.Solaris.BPFDOOR.ZAJE | (Citation: Harries JustForFun 2022) |
| Backdoor.Linux.BPFDOOR | (Citation: Merces BPFDOOR 2023) |
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1059 | .004 | Command and Scripting Interpreter: Unix Shell |
BPFDoor can create a reverse shell and supports vt100 emulator formatting.(Citation: Sandfly BPFDoor 2022) |
| Enterprise | T1564 | .011 | Hide Artifacts: Ignore Process Interrupts |
BPFDoor set's it's process to ignore the following signals; `SIGHUP`, `SIGINT`, `SIGQUIT`, `SIGPIPE`, `SIGCHLD`, `SIGTTIN`, and `SIGTTOU`.(Citation: Deep Instinct BPFDoor 2023) |
| Enterprise | T1562 | .003 | Impair Defenses: Impair Command History Logging |
BPFDoor sets the `MYSQL_HISTFILE` and `HISTFILE` to `/dev/null` preventing the shell and MySQL from logging history in `/proc/ |
| .004 | Impair Defenses: Disable or Modify System Firewall |
BPFDoor starts a shell on a high TCP port starting at 42391 up to 43391, then changes the local `iptables` rules to redirect all packets from the attacker to the shell port.(Citation: Sandfly BPFDoor 2022) |
||
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
After initial setup, BPFDoor's original execution process deletes the dropped binary and exits.(Citation: Sandfly BPFDoor 2022) |
| .006 | Indicator Removal: Timestomp |
BPFDoor uses the `utimes()` function to change the executable's timestamp.(Citation: Sandfly BPFDoor 2022) |
||
| Enterprise | T1036 | .004 | Masquerading: Masquerade Task or Service |
BPFDoor overwrites the `argv[0]` value used by the Linux `/proc` filesystem to determine the command line and command name to display for each process. BPFDoor selects a name from 10 hardcoded names that resemble Linux system daemons, such as; `/sbin/udevd -d`, `dbus-daemon --system`, `avahi-daemon: chroot helper`, `/sbin/auditd -n`, and `/usr/lib/systemd/systemd-journald`.(Citation: Sandfly BPFDoor 2022) |
| .009 | Masquerading: Break Process Trees |
After initial execution, BPFDoor forks itself and runs the fork with the `--init` flag, which allows it to execute secondary clean up operations. The parent process terminates leaving the forked process to be inherited by the legitimate process init.(Citation: Sandfly BPFDoor 2022) |
||
| Enterprise | T1205 | .002 | Traffic Signaling: Socket Filters |
BPFDoor uses BPF bytecode to attach a filter to a network socket to view ICMP, UDP, or TCP packets coming through ports 22 (ssh), 80 (http), and 443 (https). When BPFDoor finds a packet containing its “magic” bytes, it parses out two fields and forks itself. The parent process continues to monitor filtered traffic while the child process executes the instructions from the parsed fields.(Citation: Sandfly BPFDoor 2022)(Citation: Deep Instinct BPFDoor 2023) |
References
- Jamie Harries. (2022, May 25). Hunting a Global Telecommunications Threat: DecisiveArchitect and Its Custom Implant JustForFun. Retrieved September 23, 2024.
- Fernando Merces. (2023, July 13). Detecting BPFDoor Backdoor Variants Abusing BPF Filters. Retrieved September 23, 2024.
- Shaul Vilkomir-Preisman and Eliran Nissan. (2023, May 10). BPFDoor Malware Evolves – Stealthy Sniffing Backdoor Ups Its Game. Retrieved September 19, 2024.
- The Sandfly Security Team. (2022, May 11). BPFDoor - An Evasive Linux Backdoor Technical Analysis. Retrieved September 29, 2023.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.