
Red Menshen: A Look into the Chinese Cyber Espionage Threat
Red Menshen, a China based threat actor, which has been observed targeting telecommunications providers across the U.S, Turkey, Middle East and Asia, as well as entities in the government, education, and logistics sectors using a custom backdoor referred as BPFDoor.
Indicators of Compromise
Hashes (43)
f1bf775746a5c882b9ec003617b2a70cf5a5b029ca73295816ca7b693471803274115457a156ecb2e935bbdc493017ff6b427d194c8106312570525907ecb1f2d9ffbd20a46cd36cd06b022db3cc8e45b1ecab62cd11f9ca7a26ab6d2bc4dfec30893df28357e8affae068b32f0796d827fc5359c0200cb33b328048d317605c255db6ea0e214a3bb9955b9b792d0ef785beee212a26c7fd3a270b673d47c0b69c3baf5d7301077387223f2a9c3a65be7545f25f95e10ece96e906128095dead57fdc9ce8688bb889166b67c9a1b8fdb93d7cff7f3836bb98f05657f0bd8f4eb60fba59cc94fe18946cc04585e4fd8181470c7f0359d7b18a52211dc76bf736b25d5c9aaf6a84edd4e615796fffc338a893b49c120c0b4941ce37925599ae527f10ddb4625687748b7d3734ee51673b664f2e5d0346e64f85e1856835b2a079690efb5f4e0944353dd883303ffd6bab4aad1f0c88b49a76ddcb28ee9ed0cd45c3bb95ef8da214048799395e247040d17aa78b0d9c6351cb664780d9203a331a911daa1c8a3846d9ef3d030efb51c2e14156226c90974180cc4b5f9738e80f1f8057b1783e8829e34e0c544c770360215fb60b7bb+23 moreAPT Groups
Red Menshen
China
Notes
<div><div><b>Introduction:</b><br></div><div><br></div><div>Cybersecurity threats are becoming more and more sophisticated, and advanced persistent threat (APT) groups are a major cause for concern. One such group that has been active since is Red Menshen, a China-based APT group that has been conducting cyber espionage operations against government agencies, military organizations, corporations, and more. In this post, we'll take a closer look at the threat posed by Red Menshen and its custom backdoor, BPFDoor.</div><div><br></div><div><b>About Red Menshen:</b></div><div><br></div><div>Red Menshen is a highly effective and persistent APT group that has been targeting a variety of organizations across the globe. The group is known for its use of custom-built tools, making it a formidable threat. Some of the sectors that have been targeted by Red Menshen include telecommunications providers, government entities, education institutions, and logistics companies.</div><div><br></div><div><b>BPFDoor: A Custom Backdoor</b></div><div><br></div><div>One of the tools used by Red Menshen is BPFDoor, a custom backdoor that has been observed in attacks against organizations in the US, South Korea, Hong Kong, Turkey, India, Viet Nam, Myanmar, and more. BPFDoor is used by the group to gain unauthorized access to targeted systems and carry out post-exploitation activities, such as stealing sensitive information and moving laterally within the network.</div><div><br></div><div>BPFDoor is a highly evasive backdoor that doesn't open any inbound network ports, doesn't use an outbound command and control (C2), and renames its own process in Linux. This makes it difficult for security systems to detect.</div></div><div><br></div><div><b>Florian Roth found BPFDoor controller source code </b><br></div><div><span style="color: var(--q-dark);"><br></span></div><div><span style="color: var(--q-dark);">Sample</span><br></div><div><div><br></div><div><span style="color: var(--q-dark);">https[:]//virustotal[.]com[/]gui[/]file[/]8b9db0bc9152628bdacc32dab01590211bee9f27d58e0f66f6a1e26aea7552a6[/]detection</span><br></div><div><br></div><div>Source</div><div>https[:]//pastebin[.]com[/]kmmJuuQP</div></div><div><br></div>This refers to an outdated version of the implant from around 2018, which can be found on the website Pastebin.<div><br></div><div><br></div><div><img src="https://pbs.twimg.com/media/FSOWeoLX0AAA14v?format=jpg&name=large" alt="Image"><br></div><div><br></div><div><img src="https://pbs.twimg.com/media/FSOWfguWQAAqZwf?format=jpg&name=large" alt="Image"><br></div>
Mitigation
<div>T1036.005- Masquerading: Match Legitimate Name or Location</div><div>T1070.004- Indicator Removal on Host: File Deletion</div><div>T1070.006- Indicator Removal on Host: Time Stomp</div><div>T1059.004- Command and Scripting Interpreter: Unix Shell</div><div>T1106- Native API</div><div>T1548.001- Abuse Elevation Control Mechanism: Setuid and Setgid</div><div>T1095- Non-Application Layer Protocol</div><div><br></div><div><div>Mitigation:</div><div><ul><li>Awareness: Ensure that employees and stakeholders are aware of the threat posed by BPFDoor and the importance of following security best practices, such as avoiding suspicious emails and links and keeping software up-to-date.</li><li>Patch Management: Regularly apply security patches and updates to the operating system, applications, and firmware to close any vulnerabilities that may be exploited by attackers.</li><li>Endpoint protection: Implement robust endpoint protection solutions to detect and prevent the spread of malware, including BPFDoor.</li><li>Network Segmentation: Segment the network into smaller, secure zones to reduce the attack surface and limit the spread of malware if a breach occurs.</li><li>Backup and Recovery: Regularly back up critical data and implement a robust disaster recovery plan to ensure that business operations can continue in the event of a successful attack.</li><li>Monitoring: Monitor the network for unusual activity and implement security tools such as intrusion detection systems and log analysis tools to detect any potential threats.</li><li>Incident Response Plan: Have an incident response plan in place to quickly and effectively respond to a breach or attack, including procedures for isolating affected systems and preserving evidence for forensic analysis.</li></ul></div><div><br></div><div><br></div><div><br></div></div>