APT Group Red Menshen is Rapidly Evolving its BPFDoor Malware

Most threat groups slinging malware look for the greatest return on their nefarious efforts, which is why so many of the systems they target run Microsoft’s Windows operating system.

However, advanced persistent threat (APT) actors–including those running ransomware campaigns–are more interested in maintaining their presence undetected in their victims’ systems. In recent years, such groups have expanded their field of targets to include cloud servers and systems running Linux and other non-Windows OSes, according to cybersecurity company Trend Micro.

In the cloud, that has included ransomware groups targeting systems running VMware’s ESXi servers and a range of variants of the Mirai botnet. In addition, the notorious Sandworm malware, deployed by Russia’s GRU military intelligence unit, has been used against network routers running Linux.

Red Menshen is another APT group that is rapidly evolving its BPFDoor backdoor malware that targets systems running Linux or Solaris. Among the improvements Red Menshen–also known as DecisiveArchitect and Red Dev 18–is the enhanced use of the Berkeley Packet Filter (BPF), a legitimate tool that lets programs running certain OSes do such tasks as analyze network traffic.

Red Menshen has been targeting telecoms and other industries, primarily in Turkey and Hong Kong.

Hard to Catch

For the threat group, BPF makes its BPFDoor more difficult to detect, according to Fernando Merces, senior threat researcher at Trend Micro. The technology “allows programs to attach network filters to an open socket that’s being used by the threat actors behind BPFDoor to bypass firewalls’ inbound traffic rules and similar network protection solutions in Linux and Solaris operating systems (OS),” Merces wrote in a report.

Neither operating system is tops in its field. In the overall global OS market, Windows accounts for more than 28%, while Linux comes in at 1.3%, according to StatCounter. There are more than 44,000 companies that use Solaris, which has about a 0.9% share of the OS space, Enlyft says.

While their marketshare may be low, Linux and Solaris are used by companies of all sizes and in a broad array of industries, which explains why an APT group like Red Menshen will make the effort to target these systems. Trend Micro is tracking two versions, one for Linux systems and the other for servers running Solaris. Merces added that the group is aggressively improving their capabilities.

There are now six times the number of instructions in the malware’s BPF filters than were found in two samples last year.

“This is a clear sign that BPFDoor is under active development and that it has been proven successful enough for the attacks to merit a return on the malware developers’ investment from this upgrade effort,” he wrote.

Red Menshen, a Chinese threat actor, uses BPF–the Linux equivalent is called Linux Socket Filtering (LSF)–to load packet filters into the Linux kernel. The filters let the attackers activate the malware with a single network packet because it reaches the kernel’s BPF before it hits the firewall, which would otherwise block it. BPFDoor then opens a reverse shell that accepts commands from the attacker and gives the malware the root privileges it needs to work.

More Variants Crop Up

The malware samples–one called Variant A–found before 2023 contain the same BPF program and include 30 instructions. Trend Micro this year worked with four samples and detected more variants. Variant B contains 39 instructions, which may show that BPFDoor developers wanted another way of activating the backdoor after reports shed light on how the previous variant works, Merces wrote.

Variant C has about six times the number of instructions–205–while Variant D has 229. He wrote that cybersecurity firm Deep Instinct found another variant that Trend Micro is referring to as Variant E.

The use of embedded BPF bytecode in malware will create headaches for organizations and security analysts. While it’s not heavily used in malware and there aren’t many tools for analyzing and debugging such bytecode, it can give attackers full use of an infected system.

“The evolution of BPF filters used by BPFDoor also shows that threat actors are working to improve their methods to cover their tracks and keep the backdoor stealthy,” he wrote.

Network defenders need to update their rules to address this trend and malware analysts need to take closer looks at BPF filters in malware, according to Trend Micro.

Avatar photo

Jeffrey Burt

Jeffrey Burt has been a journalist for more than three decades, writing about technology since 2000. He’s written for a variety of outlets, including eWEEK, The Next Platform, The Register, The New Stack, eSecurity Planet, and Channel Insider.

jeffrey-burt has 387 posts and counting.See all posts by jeffrey-burt