China-Linked Red Menshen - Stealthy BPFDoor Implants Exposed
Basically, a group from China is using hidden tools to spy on telecom networks.
Red Menshen, a China-linked threat group, is using stealthy BPFDoor implants for espionage in telecom networks. This ongoing campaign poses significant risks to government networks. Organizations must enhance their defenses to counteract these sophisticated threats.
The Threat
Red Menshen, a China-linked threat actor, has been conducting a long-term espionage campaign against telecom networks. This group, also known as Earth Bluecrow, has targeted government networks since at least 2021. They employ advanced techniques to implant stealthy access mechanisms within critical environments, making detection extremely difficult.
Their primary tool, BPFDoor, is a Linux backdoor that operates without exposing traditional command-and-control channels. Instead, it utilizes the Berkeley Packet Filter (BPF) to inspect network traffic directly within the kernel. This allows the threat actor to remain hidden while monitoring and manipulating network operations.
Who's Behind It
Red Menshen has a reputation for targeting telecom providers across regions like the Middle East and Asia. Their operations are characterized by a range of sophisticated techniques, including the use of kernel-level implants and credential-harvesting utilities. By embedding themselves deeply within telecom infrastructure, they can maintain persistent access to sensitive networks.
The group’s activities often start by targeting exposed services like VPN appliances and firewalls from major providers such as Cisco and Fortinet. Once they gain a foothold, they deploy additional tools like CrossC2 and Sliver to facilitate further exploitation and lateral movement within the compromised systems.
Tactics & Techniques
Red Menshen's use of BPFDoor is particularly concerning due to its stealthy nature. The backdoor consists of two components: a passive backdoor that listens for a specific trigger packet, and a controller that sends these packets to activate the implant. This setup allows for controlled lateral movement between compromised systems without raising alarms.
Additionally, the latest variant of BPFDoor has introduced features to enhance its evasion capabilities. For instance, it can hide its trigger packets within legitimate HTTPS traffic, making detection even more challenging. This evolution reflects a broader trend where attackers are embedding their tools deeper into operating systems and infrastructure platforms.
Defensive Measures
Organizations must be vigilant against such sophisticated threats. Implementing strong network segmentation and monitoring for unusual traffic patterns can help detect potential intrusions. Regularly updating and patching systems, especially those exposed to the internet, is crucial to mitigate risks.
Moreover, employing advanced threat detection solutions that can analyze traffic at the kernel level may provide additional layers of security. As Red Menshen continues to evolve its tactics, staying informed about emerging threats and adapting defenses accordingly will be essential for safeguarding sensitive telecom networks.
The Hacker News