BPFDoor malware uses Solaris vulnerability to get root privileges

New research into the inner workings of the stealthy BPFdoor malware for Linux and Solaris reveals that the threat actor behind it leveraged an old vulnerability to achieve persistence on targeted systems.

BPFDoor is a custom backdoor that has been used largely undetected for at least five years in attacks against telecommunications, government, education, and logistics organizations.

The malware was discovered only recently and reported first by researchers from PricewaterhouseCoopers (PwC), who attributed it to a China-based threat actor they track as Red Menshen.

PwC found BPFDoor during an incident response engagement in 2021. Looking closer at the malware, the researchers noticed that it received commands from Virtual Private Servers (VPS) controlled through compromised routers in Taiwan.

Subsequent, comprehensive research from Craig Rowland, the founder of Sandfly Security, and Kevin Beaumont showed the highly insidious nature of the malware, which can virtually bypass most detection systems.

BPFDoor can't be stopped by firewalls, it can function without opening any ports and does not need a command and control server as it can receive commands from any IP address on the web.

Using a public exploit

Cybersecurity company CrowdStrike has observed a threat actor that focused mainly on targeting Linux and Solaris systems using the custom-built BPFDoor implant on telecommunications providers to steal personal user information (e.g. call detail records, data on specific phone numbers).

CrowdStrike is tracking the backdoor under the name JustForFun and attributes it to an adversary that they refer to as DecisiveArchitect. The researchers analyzed activity of this adversary several times since 2019.

"DecisiveArchitect exhibits a high degree of operational security as part of their tactics to make it more difficult for defenders to identify and investigate their activity through the use of various defense evasion techniques" - CrowdStrike

In a report today, the researchers provide details about how defenders can detect the BPFDoor implant and highlight techniques used across Solaris systems.

They note that once DecisiveArchitect gains access to a Solaris system, it achieves root-level permissions by exploiting CVE-2019-3010 - a vulnerability in the XScreenSaver component of the Solaris operating system (version 11.x).

Exploit code for the vulnerability is publicly available for three years and it appears that DecisiveArchitect did not make any effort to modify it.

The threat actor starts leveraging the bug typically "within a few minutes of the JustForFun implant deployment," according to the researchers' observations.

CrowdStrike researchers note that on Solaris systems the threat actor uses the LD_PRELOAD environmental variable to achieve functionality similar to the command-line spoofing seen on Linux hosts.

However, starting April 2022, DecisiveArchitect updated its tactics, techniques, and procedures, and began using the LD_PRELOAD environmental variable on Linux machines, as well, to load the BPFDoor/JustForFun implant in the legitimate process /sbin/agetty.

"The spoofed command line appears in commands such as ps that may be used to investigate suspicious activity on the host," CrowdStrike

Manual detection

The researchers highlight that detecting BPFDoor/JustForFun implants on a Linux system may prove to be a daunting task because the threat actor modifies existing SysVinit scripts on the host to achieve persistence.

As such, simply reviewing the lines of code in SysVinit scripts is unlikely to reveal the reference to the implant and all file references should be analyzed.

To make it even more difficult to spot, the file names and paths for the implant and the associated persistence-related scripts are different from one system to another.

CrowdStrike provides a set of commands that could help defenders investigate whether BPFDoor is present on their network by identifying running processes with a raw socket open:

Linux:

lsof -RPnl | grep SOCK_RAW | grep IP

Solaris:

for _PIDno in /proc/*; do line=$(pfiles "${_PIDno}"); echo $_PIDno $line | grep bpf; done for _PIDno in /proc/*; do line=$(pmap "${_PIDno}"); echo $_PIDno $line | grep libpcap; done for _PIDno in /proc/*; do line=$(pldd "${_PIDno}"); echo $_PIDno $line | grep libpcap; done

The lsof command in Linux will report the spoofed command line and can also help analysts list open files associated with a process ID.

The commands for Solaris systems will loop through every process searching for strings indicating a process running with a packet filter and looking for processes that loaded the libpcap library.

While these commands alone can't necessarily reveal the implant, they are useful to determine if further investigation of suspicious activity is necessary.

CrowdStrike's report today includes a list of indicators of compromise for both Linux and Solaris systems, as well as two Windows scripts whose purpose remains unknown at the moment.

The researchers say that the threat actor behind BFPDoor does interact with Windows machines during the early stages of the intrusion but they did not identify any custom implants for this operating system.