Chinese APT Red Menshen's super-advanced BPFdoor malware defeats traditional cybersecurity protections. All telcos can do, really, is try hunting it down.
Chinese threat actors have been tinkering with a state-of-the-art backdoor called "BPFdoor," modifying it to more stealthily maintain persistence inside of the most sensitive parts of global telecommunications systems, plus other high-level government and critical infrastructure networks.
BPFdoor was already one of the world's most sophisticated malware implants before it was upgraded. Its signature trick was to lay dormant inside of a Linux kernel, doing nothing interesting or even observable, while passively using the Berkeley Packet Filter (BPF) to inspect incoming network traffic for a specially crafted activation message.
Researchers at Rapid7 now report that the Chinese advanced persistent threat (APT) behind BPFdoor, Red Menshen, has modified that listening system. Since around last November, it's also tacked on a few more stealthy tricks to help BPFdoor stay even quieter, and get closer to the heart of telecommunications subscriber traffic worldwide.
In addition to known targets in the Middle East and Africa, "We have confirmed victims in the Asia-Pacific (APAC) and in Europe — I dare say this is definitely global," Christiaan Beek, vice president of cyber intelligence at Rapid7, tells Dark Reading. He adds that, perhaps due to the malware's runaway success, "where we thought initially it was mostly focused on telcos, we also now have confirmation from [victimized] government networks, critical infrastructure networks, and defense networks."
An Ultra-Advanced Telecom Backdoor
Even BPFdoor's remarkably subtle and efficient BPF listening technique isn't good enough for Red Menshen anymore. Now, instead of looking for a magic packet in any sort of network packet, the malware only looks for its trigger phrase in innocuous Hypertext Transfer Protocol Secure (HTTPS) requests.
"They are actually weaponizing our firewalls against us, and we're letting the traffic through," Beek concedes. Firewalls and traffic inspection tools can't reasonably block HTTPS, and even when the request is decrypted, it'll look normal to a human observer or security tool. "So that was a really smart move on [their part] — hiding themselves in that kind of Transport Layer Security (TLS) traffic, so the moment you unpack it, it will actually pass through easily," he says.
BPFdoor is also specially tuned to know when malicious message lies are coming through. It looks specifically for the 26th byte offset in the incoming request, and if its trigger appears at that specific location, then it knows it's being summoned.
The trigger phrase is arguably not even BPFdoor's most subtle, highly controlled trick. At an even more granular level, Red Menshen can direct orders to specific instances of its malware within a network, using a lightweight Internet Control Message Protocol (ICMP) control channel.
It works like this: Let's say that Red Menshen has compromised more than one server in a target network. It could connect and forward instructions to each individual server using a command-and-control (C2) setup, but that would be loud. Theoretically, they could also include data in the activation packet that routes instructions to the desired instance, but that would make the packet more bloated and potentially detectable. So, instead, the malware uses the innocuous ICMP pings to transmit instructions between infected machines, using a specific value — 0xFFFFFFFF — to indicate which machine should terminate the propagation and actually execute an action.
"No matter how many hops there are in a network, they know exactly where their next implant in the network is, and they could actually send a command specifically [to any implant] in the traffic," Beek explains. By way of an analogy, he says, "Let's say you have BPFdoor in your living room. and you have BPFdoor in your kitchen. The actor could actually instruct the BPFdoor in the living room that a command is actually intended for BPFdoor in the kitchen."
He adds, "That's unbelievable. It's fascinating — how to hide yourself in ping traffic. They knew exactly where there is some space in the network traffic, where you can put in your [malicious] packets. With all due respect, nobody's tracing how much ping traffic goes beyond the host, or outside of the network," he says.
China vs. Telcos: An Unfair Cyber Fight
Red Menshen attacks are characterized by an unusual diligence and knowledge of their targets' infrastructure.
Beek thinks that "they do an extremely good job at reconnaissance in their victims' networks. And they know so much about the inner workings of telco infrastructure. So the moment they are inside, and they find certain equipment, they know exactly how it works. And that it's interconnected, and then they can move really fast [to other parts of the network]. We found custom sniffers, custom tooling to intercept usernames and passwords — very highly sophisticated operations."
The detail with which the attackers understand and adapt to their targets' systems is exceptional. For instance, cyber researchers call it "advanced" when malware mimics ordinary system processes to try to evade detection. Red Menshen goes a step further. It knows that telcos, particularly in Europe and Asia, are known to use HPE ProLiant servers, and that telcos worldwide are increasingly using Kubernetes to serve 5G. So nowadays BPFdoor disguises itself using legitimate service names and process behaviors associated with HPE ProLiant servers, or Kubernetes, as applicable.
Between the passive listening, the covert messaging, the process mimicking, and more, BPFdoor is a league beyond what most cybersecurity solutions can hope to detect and stop. Beek's suggestion, instead, is that operators need to just go out and hunt this thing down.
The first step in that process, of course, is actually knowing about its existence. Surprisingly, even though the malware is some years old now, it isn't as famous as it deserves to be.
"Honestly, when I spoke to different telcos, they were quite unaware of this threat, and also the implications of it," Beek says. "I think that the bigger picture here is: Are you really anticipating these threats?"
Chinese threat actors have been tinkering with a state-of-the-art backdoor called "BPFdoor," modifying it to more stealthily maintain persistence inside of the most sensitive parts of global telecommunications systems, plus other high-level government and critical infrastructure networks.
BPFdoor was already one of the world's most sophisticated malware implants before it was upgraded. Its signature trick was to lay dormant inside of a Linux kernel, doing nothing interesting or even observable, while passively using the Berkeley Packet Filter (BPF) to inspect incoming network traffic for a specially crafted activation message.
Researchers at Rapid7 now report that the Chinese advanced persistent threat (APT) behind BPFdoor, Red Menshen, has modified that listening system. Since around last November, it's also tacked on a few more stealthy tricks to help BPFdoor stay even quieter, and get closer to the heart of telecommunications subscriber traffic worldwide.
In addition to known targets in the Middle East and Africa, "We have confirmed victims in the Asia-Pacific (APAC) and in Europe — I dare say this is definitely global," Christiaan Beek, vice president of cyber intelligence at Rapid7, tells Dark Reading. He adds that, perhaps due to the malware's runaway success, "where we thought initially it was mostly focused on telcos, we also now have confirmation from [victimized] government networks, critical infrastructure networks, and defense networks."
An Ultra-Advanced Telecom Backdoor
Even BPFdoor's remarkably subtle and efficient BPF listening technique isn't good enough for Red Menshen anymore. Now, instead of looking for a magic packet in any sort of network packet, the malware only looks for its trigger phrase in innocuous Hypertext Transfer Protocol Secure (HTTPS) requests.
"They are actually weaponizing our firewalls against us, and we're letting the traffic through," Beek concedes. Firewalls and traffic inspection tools can't reasonably block HTTPS, and even when the request is decrypted, it'll look normal to a human observer or security tool. "So that was a really smart move on [their part] — hiding themselves in that kind of Transport Layer Security (TLS) traffic, so the moment you unpack it, it will actually pass through easily," he says.
BPFdoor is also specially tuned to know when malicious message lies are coming through. It looks specifically for the 26th byte offset in the incoming request, and if its trigger appears at that specific location, then it knows it's being summoned.
The trigger phrase is arguably not even BPFdoor's most subtle, highly controlled trick. At an even more granular level, Red Menshen can direct orders to specific instances of its malware within a network, using a lightweight Internet Control Message Protocol (ICMP) control channel.
It works like this: Let's say that Red Menshen has compromised more than one server in a target network. It could connect and forward instructions to each individual server using a command-and-control (C2) setup, but that would be loud. Theoretically, they could also include data in the activation packet that routes instructions to the desired instance, but that would make the packet more bloated and potentially detectable. So, instead, the malware uses the innocuous ICMP pings to transmit instructions between infected machines, using a specific value — 0xFFFFFFFF — to indicate which machine should terminate the propagation and actually execute an action.
"No matter how many hops there are in a network, they know exactly where their next implant in the network is, and they could actually send a command specifically [to any implant] in the traffic," Beek explains. By way of an analogy, he says, "Let's say you have BPFdoor in your living room. and you have BPFdoor in your kitchen. The actor could actually instruct the BPFdoor in the living room that a command is actually intended for BPFdoor in the kitchen."
He adds, "That's unbelievable. It's fascinating — how to hide yourself in ping traffic. They knew exactly where there is some space in the network traffic, where you can put in your [malicious] packets. With all due respect, nobody's tracing how much ping traffic goes beyond the host, or outside of the network," he says.
China vs. Telcos: An Unfair Cyber Fight
Red Menshen attacks are characterized by an unusual diligence and knowledge of their targets' infrastructure.
Beek thinks that "they do an extremely good job at reconnaissance in their victims' networks. And they know so much about the inner workings of telco infrastructure. So the moment they are inside, and they find certain equipment, they know exactly how it works. And that it's interconnected, and then they can move really fast [to other parts of the network]. We found custom sniffers, custom tooling to intercept usernames and passwords — very highly sophisticated operations."
The detail with which the attackers understand and adapt to their targets' systems is exceptional. For instance, cyber researchers call it "advanced" when malware mimics ordinary system processes to try to evade detection. Red Menshen goes a step further. It knows that telcos, particularly in Europe and Asia, are known to use HPE ProLiant servers, and that telcos worldwide are increasingly using Kubernetes to serve 5G. So nowadays BPFdoor disguises itself using legitimate service names and process behaviors associated with HPE ProLiant servers, or Kubernetes, as applicable.
Between the passive listening, the covert messaging, the process mimicking, and more, BPFdoor is a league beyond what most cybersecurity solutions can hope to detect and stop. Beek's suggestion, instead, is that operators need to just go out and hunt this thing down.
The first step in that process, of course, is actually knowing about its existence. Surprisingly, even though the malware is some years old now, it isn't as famous as it deserves to be.
"Honestly, when I spoke to different telcos, they were quite unaware of this threat, and also the implications of it," Beek says. "I think that the bigger picture here is: Are you really anticipating these threats?"