BPFDoor - S1161 (8d1f89fd-4dde-40ab-80e0-a7b80249162e)

BPFDoor is a Linux based passive long-term backdoor used by China-based threat actors. First seen in 2021, BPFDoor is named after its usage of Berkley Packet Filter (BPF) to execute single task instructions. BPFDoor supports multiple protocols for communicating with a C2 including TCP, UDP, and ICMP and can start local or reverse shells that bypass firewalls using iptables.(Citation: Sandfly BPFDoor 2022)(Citation: Deep Instinct BPFDoor 2023)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	BPFDoor - S1161 (8d1f89fd-4dde-40ab-80e0-a7b80249162e)	Malware	1
Break Process Trees - T1036.009 (34a80bc4-80f2-46e6-94ff-f3265a4b657c)	Attack Pattern	BPFDoor - S1161 (8d1f89fd-4dde-40ab-80e0-a7b80249162e)	Malware	1
Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56)	Attack Pattern	BPFDoor - S1161 (8d1f89fd-4dde-40ab-80e0-a7b80249162e)	Malware	1
Overwrite Process Arguments - T1036.011 (514dc7b3-0b80-4382-80a9-2e2d294f5019)	Attack Pattern	BPFDoor - S1161 (8d1f89fd-4dde-40ab-80e0-a7b80249162e)	Malware	1
Mutual Exclusion - T1480.002 (49fca0d2-685d-41eb-8bd4-05451cc3a742)	Attack Pattern	BPFDoor - S1161 (8d1f89fd-4dde-40ab-80e0-a7b80249162e)	Malware	1
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	BPFDoor - S1161 (8d1f89fd-4dde-40ab-80e0-a7b80249162e)	Malware	1
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	BPFDoor - S1161 (8d1f89fd-4dde-40ab-80e0-a7b80249162e)	Malware	1
Disable or Modify System Firewall - T1686 (eec096b8-c207-43df-b6c1-11523861e452)	Attack Pattern	BPFDoor - S1161 (8d1f89fd-4dde-40ab-80e0-a7b80249162e)	Malware	1
Prevent Command History Logging - T1690 (b831f51c-d22f-4724-bbab-60d056bd1150)	Attack Pattern	BPFDoor - S1161 (8d1f89fd-4dde-40ab-80e0-a7b80249162e)	Malware	1
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	BPFDoor - S1161 (8d1f89fd-4dde-40ab-80e0-a7b80249162e)	Malware	1
Socket Filters - T1205.002 (005cc321-08ce-4d17-b1ea-cb5275926520)	Attack Pattern	BPFDoor - S1161 (8d1f89fd-4dde-40ab-80e0-a7b80249162e)	Malware	1
Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852)	Attack Pattern	BPFDoor - S1161 (8d1f89fd-4dde-40ab-80e0-a7b80249162e)	Malware	1
Ignore Process Interrupts - T1564.011 (4a2975db-414e-4c0c-bd92-775987514b4b)	Attack Pattern	BPFDoor - S1161 (8d1f89fd-4dde-40ab-80e0-a7b80249162e)	Malware	1
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	Break Process Trees - T1036.009 (34a80bc4-80f2-46e6-94ff-f3265a4b657c)	Attack Pattern	2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56)	Attack Pattern	2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	Overwrite Process Arguments - T1036.011 (514dc7b3-0b80-4382-80a9-2e2d294f5019)	Attack Pattern	2
Mutual Exclusion - T1480.002 (49fca0d2-685d-41eb-8bd4-05451cc3a742)	Attack Pattern	Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852)	Attack Pattern	2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	2
Traffic Signaling - T1205 (451a9977-d255-43c9-b431-66de80130c8c)	Attack Pattern	Socket Filters - T1205.002 (005cc321-08ce-4d17-b1ea-cb5275926520)	Attack Pattern	2
Ignore Process Interrupts - T1564.011 (4a2975db-414e-4c0c-bd92-775987514b4b)	Attack Pattern	Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	2