BPFDoor malware

According to new research, the threat actor behind the stealthy BPFdoor malware for Linux and Solaris exploited an existing weakness to gain persistence on targeted systems. BPFDoor is a custom backdoor that has been used in assaults on telecommunications, government, education, and logistical businesses for at least five years, generally undiscovered.

The virus was identified lately and originally disclosed by PricewaterhouseCoopers (PwC) experts, who linked it to a China-based threat actor known as Red Menshen. In 2021, PwC discovered BPFDoor during an incident response engagement. The researchers discovered that the malware got commands from Virtual Private Servers (VPS) operated by hacked Taiwanese routers.

Following that, extensive study conducted by Craig Rowland, founder of Sandfly Security, and Kevin Beaumont revealed the malware’s incredibly invasive nature, which can essentially escape most detection systems. Firewalls have no effect on BPFDoor; it can operate without opening any ports and does not require a command-and-control server because it can accept commands from any IP address on the internet.

Using a public exploit

CrowdStrike, a cybersecurity firm, has discovered a threat actor targeting Linux and Solaris systems with the custom-built BPFDoor implant on telecoms companies in order to collect personal user information (e.g. call detail records, data on specific phone numbers).

Under the handle JustForFun, CrowdStrike is following the backdoor, which they attribute to an adversary known as DecisiveArchitect. Since 2019, the researchers have examined this adversary’s actions on multiple occasions.

“Through the use of numerous defensive evasion strategies, DecisiveArchitect demonstrates a high level of operational security as part of their efforts to make it more difficult for defenders to detect and examine their activities” – CrowdStrike. The researchers outline how defenders can detect the BPFDoor implant in a study released today, highlighting approaches utilised across Solaris platforms.

They state that after DecisiveArchitect has access to a Solaris system, it exploits CVE-2019-3010, a vulnerability in the Solaris operating system’s XScreenSaver component, to gain root-level permissions (version 11.x). The vulnerability’s exploit code has been publicly available for three years, and it appears that DecisiveArchitect made no attempt to alter it.

file path

According to the researchers’ observations, the threat actor begins exploiting the issue “within a few minutes of the JustForFun implant placement.”

The threat actor on Solaris systems exploits the LD PRELOAD environmental variable to provide functionality comparable to command-line spoofing found on Linux servers, according to CrowdStrike researchers.

DecisiveArchitect, on the other hand, modified its tactics, strategies, and procedures in April 2022, and began exploiting the LD PRELOAD environmental variable on Linux platforms to load the BPFDoor/JustForFun implant in the legitimate process /sbin/agetty.

 “The fake command line appears in commands like ps, which can be used to look into suspicious activity on the host,” says the researcher. CrowdStrike

Manual detection

Because the threat actor alters existing SysVinit scripts on the host to achieve persistence, the researchers warn that discovering BPFDoor/JustForFun implants on a Linux system can be difficult.

As a result, simply looking at the lines of code in SysVinit scripts is unlikely to disclose the implant reference, and all file references should be examined.

To make it even more difficult to notice, the implant and the associated persistence-related scripts have different file names and directories from one system to the next.

By identifying ongoing processes with a raw socket open, CrowdStrike provides a series of tools that could assist defenders in determining whether BPFDoor is present on their network:


lsof -RPnl | grep SOCK_RAW | grep IP


for _PIDno in /proc/*; do line=$(pfiles “${_PIDno}”); echo $_PIDno $line | grep bpf; done

for _PIDno in /proc/*; do line=$(pmap “${_PIDno}”); echo $_PIDno $line | grep libpcap; done

for _PIDno in /proc/*; do line=$(pldd “${_PIDno}”); echo $_PIDno $line | grep libpcap; done

The lsof tool in Linux can help analysts find open files related with a process ID and reveal the faked command line. The Solaris commands will cycle through all processes, looking for strings that indicate a process using a packet filter and processes that have loaded the libpcap library.

While these commands do not guarantee that the implant is there, they can help establish whether further research of suspicious behaviour is required. The report released today by CrowdStrike includes a list of indicators of breach for Linux and Solaris systems, as well as two Windows scripts whose function is currently unknown.

According to the researchers, the threat actor behind BFPDoor interacts with Windows workstations during the early stages of the intrusion, but no custom implants for this operating system have been discovered.