Full Report
BPFDoor is a Linux-based backdoor malware. AhnLab previously published their EDR detection information on this malware through the ASEC blog in October 2024. KISA recently shared threat information and warnings on BPFDoor, which has been exploited in hacking attacks. V3 detection information on the hash values shared by KISA in their first and second notices […]
Analysis Summary
# Incident Report: BPFDoor Backdoor Exploitation and Threat Advisory
## Executive Summary
This report summarizes a security advisory concerning the active exploitation of BPFDoor, a Linux-based backdoor malware, in recent hacking attacks, highlighted by KISA advisories. The incident progression centers on the deployment of various file hashes associated with BPFDoor and its associated control components (BPFControl) across potentially compromised Linux systems. The primary required response involves leveraging advanced detection mechanisms like EDR and AIPS based on newly provided file hashes and behavioral signatures.
## Incident Details
- Discovery Date: Ongoing; KISA shared threat information in two notices leading up to the May 8, 2025 advisory date.
- Incident Date: Occurrences noted throughout April and early May 2025, based on malware detection timestamps.
- Affected Organization: Multiple undisclosed entities targeted by the BPFDoor threat actor.
- Sector: Undisclosed (Based on typical Linux-based threat context, often targeting infrastructure or web servers).
- Geography: Not specified, but KISA advisories suggest a focus relevant to their jurisdiction.
## Timeline of Events
### Initial Access
- Date/Time: Not specified in detail, but exploitation was ongoing leading up to the KISA notices (April/May 2025).
- Vector: The specific initial vector is not detailed, but BPFDoor is typically deployed via exploitation or initial compromise of internet-facing Linux services.
- Details: Attackers deployed variations of the BPFDoor backdoor toolkit, using file names such as `hpasmmld`, `smartadm`, and obfuscated names like `inode262394`.
### Lateral Movement
- Details: The context implies successful execution (indicated by `Execution/EDR.BPFDoor` detections). Lateral movement capabilities are inherent to BPFDoor, allowing remote control, though specific movement actions were not detailed in this summary.
### Data Exfiltration/Impact
- Details: BPFDoor provides robust backdoor functionality, strongly implying command and control, potential system modification, and data access/exfiltration, although specific stolen data is undisclosed.
### Detection & Response
- Date/Time: AhnLab EDR provided initial detection information in October 2024; updated KISA notices prompted action around May 2025.
- Details: Response actions necessitate the application of V3 detection signatures corresponding to KISA-provided hashes, and the deployment/tuning of EDR/AIPS solutions for behavioral detection.
## Attack Methodology
*Note: Since this is a vulnerability advisory based on malware samples rather than a single incident narrative, the methodology is inferred from BPFDoor capabilities and the provided IOCs.*
- Initial Access: Exploitation of vulnerable Linux systems (inferred).
- Persistence: Achieved via system file substitution or execution of the backdoor components (e.g., `hpasmmld`, `gm`).
- Privilege Escalation: Not explicitly detailed, but assumed necessary for full backdoor deployment on Linux hosts.
- Defense Evasion: The use of non-standard names (`inode262394`) and behavioral evasion (detected by EDR events like `DefenseEvasion/EDR.Event.M12190`).
- Credential Access: Not explicitly detailed but standard for advanced backdoors.
- Discovery: Inferred through required system interaction inherent to a BPF backdoor.
- Lateral Movement: Inferred via the backdoor's functionality after establishing persistence.
- Collection: Inferred, as BPFDoor is designed for remote access and command execution.
- Exfiltration: Inferred capability of the BPFDoor architecture.
- Impact: Establishment of unauthorized, persistent remote access (Backdoor).
## Impact Assessment
- Financial: Not specified.
- Data Breach: Potential for data loss on compromised Linux servers, but specific data types are unreported.
- Operational: Risks significant operational disruption due to system compromise and potential remote command execution.
- Reputational: Potential damage if victims are publicly identified.
## Indicators of Compromise
*All IOCs are listed as provided.*
- Network indicators:
- AIPS Detection Patterns: BPFDoor Malware CnC Communication-1 through -8 (Signature 427)
- File indicators (Selected high-risk hashes):
- MD5: `0bcd4f14e7d8a3dc908b5c17183269a4`, `227fa46cf2a4517aa1870a011c79eb54`, `5f6f79d276a2d84e74047358be4f7ee1`
- SHA2: `7c39f3c3120e35b8ab89181f191f01e2556ca558475a2803cb1f02c05c830423`, `3f6f108db37d18519f47c5e4182e5e33cc795564f286ae770aa03372133d15c4`
- Behavioral indicators:
- EDR Detections: `Execution/EDR.BPFDoor.M12599`, `Behavior/DETECT.Event.M12191`
## Response Actions
- Containment measures: Isolation of identified compromised Linux hosts based on file IOCs and behavioral alerts.
- Eradication steps: Removal of all identified BPFDoor/BPFControl malware files, including those with generic or inode-based names.
- Recovery actions: Hardening of compromised systems, potentially involving re-imaging critical servers, and resetting credentials.
## Lessons Learned
- BPFDoor remains an active threat, especially given its open-source nature, necessitating continuous vigilance.
- Relying solely on traditional antivirus signature updates is insufficient against polymorphic or evolving threats; advanced solutions (EDR) are critical for behavioral detection.
- Coordinated threat intelligence sharing (like that provided by KISA) accelerates the update cycle for detection mechanisms.
## Recommendations
- Implement robust Endpoint Detection and Response (EDR) solutions specifically tuned for Linux environments to capture anomalous process behavior related to BPFDoor.
- Regularly update security tools using vendor-provided threat intelligence feeds (V3 definitions).
- Review Linux system configurations for unauthorized changes, especially those affecting service startup or hidden files within system directories.