campaign image
Red Menshen: A Look into the Chinese Cyber Espionage Threat
BPFDoor Red Dev 18

Red Menshen, a China based threat actor, which has been observed targeting telecommunications providers across the U.S, Turkey, Middle East and Asia, as well as entities in the government, education, and logistics sectors using a custom backdoor referred as BPFDoor.

Domains Source Last Update
Hashes Source Last Update
f1bf775746a5c882b9ec003617b2a70cf5a5b029 SOCRadar 2023-02-01
ca73295816ca7b693471803274115457a156ecb2 SOCRadar 2023-02-01
e935bbdc493017ff6b427d194c81063125705259 SOCRadar 2023-02-01
07ecb1f2d9ffbd20a46cd36cd06b022db3cc8e45b1ecab62cd11f9ca7a26ab6d SOCRadar 2023-02-01
2bc4dfec30893df28357e8affae068b32f0796d8 SOCRadar 2023-02-01
27fc5359c0200cb33b328048d317605c255db6ea SOCRadar 2023-02-01
0e214a3bb9955b9b792d0ef785beee212a26c7fd SOCRadar 2023-02-01
3a270b673d47c0b69c3baf5d73010773 SOCRadar 2023-02-01
87223f2a9c3a65be7545f25f95e10ece SOCRadar 2023-02-01
96e906128095dead57fdc9ce8688bb889166b67c9a1b8fdb93d7cff7f3836bb9 SOCRadar 2023-02-01
8f05657f0bd8f4eb60fba59cc94fe189 SOCRadar 2023-02-01
46cc04585e4fd8181470c7f0359d7b18a52211dc SOCRadar 2023-02-01
76bf736b25d5c9aaf6a84edd4e615796fffc338a893b49c120c0b4941ce37925 SOCRadar 2023-02-01
599ae527f10ddb4625687748b7d3734ee51673b664f2e5d0346e64f85e185683 SOCRadar 2023-02-01
5b2a079690efb5f4e0944353dd883303ffd6bab4aad1f0c88b49a76ddcb28ee9 SOCRadar 2023-02-01
ed0cd45c3bb95ef8da214048799395e247040d17 SOCRadar 2023-02-01
aa78b0d9c6351cb664780d9203a331a9 SOCRadar 2023-02-01
11daa1c8a3846d9ef3d030efb51c2e14 SOCRadar 2023-02-01
156226c90974180cc4b5f9738e80f1f8 SOCRadar 2023-02-01
057b1783e8829e34e0c544c770360215fb60b7bb SOCRadar 2023-02-01
65e4d507b1de3a1e4820e4c81808fdfd7e238e10 SOCRadar 2023-02-01
fd1b20ee5bd429046d3c04e9c675c41e9095bea70e0329bd32d7edd17ebaf68a SOCRadar 2023-02-01
8535c3b18a10649b94531c6d9f79750324498e5c SOCRadar 2023-02-01
c80bd1c4a796b4d3944a097e96f384c85687daeedcdcf05cc885c8c9b279b09c SOCRadar 2023-02-01
0017f7b913ce66e4d80f7e78cf830a2b SOCRadar 2023-02-01
b65d8705c8d30ccc855e0dc48f093591 SOCRadar 2023-02-01
eb9c1fc238d078f49a33442e8adaa73f SOCRadar 2023-02-01
f47de978da1dbfc5e0f195745e3368d3ceef034e964817c66ba01396a1953d72 SOCRadar 2023-02-01
85f538110d3e59bef69119db03932b16 SOCRadar 2023-02-01
915ca30a12f19152e6ee7fcd595b7b41 SOCRadar 2023-02-01
4c5cf8f977fc7c368a8e095700a44be36c8332462c0b1e41bff03238b2bf2a2d SOCRadar 2023-02-01
92439c3c736a0554883118ecfe082b27aa6c9143 SOCRadar 2023-02-01
5fda35bd30be1cc21f8e933e41a88d9b SOCRadar 2023-02-01
97a546c7d08ad34dfab74c9c8a96986c54768c592a8dae521ddcf612a84fb8cc SOCRadar 2023-02-01
83023ecfc4836df0a25eec8826cbb80c SOCRadar 2023-02-01
5faab159397964e630c4156f8852bcc6ee46df1cdd8be2a8d3f3d8e5980f3bb3 SOCRadar 2023-02-01
851d9a438b9bf3e9b0dc65fb2d18d6f3636ad71c SOCRadar 2023-02-01
93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c SOCRadar 2023-02-01
3a2a08c0f98389d8def6fe82fcb3cc1b SOCRadar 2023-02-01
f8a5e735d6e79eb587954a371515a82a15883cf2eda9d7ddb8938b86e714ea27 SOCRadar 2023-02-01
5c2aa2735f5c925fd309b41d02f29473448aea68 SOCRadar 2023-02-01
fa0defdabd9fd43fe2ef1ec33574ea1af1290bd3d763fdb2bed443f2bd996d73 SOCRadar 2023-02-01
c796fc66b655f6107eacbe78a37f0e8a2926f01fecebd9e68a66f0e261f91276 SOCRadar 2023-02-01
Ipv4s Source Last Update
Cves Source Last Update
Emails Source Last Update
Domains Insert Date
T1036.005- Masquerading: Match Legitimate Name or Location
T1070.004- Indicator Removal on Host: File Deletion
T1070.006- Indicator Removal on Host: Time Stomp
T1059.004- Command and Scripting Interpreter: Unix Shell
T1106- Native API
T1548.001- Abuse Elevation Control Mechanism: Setuid and Setgid
T1095- Non-Application Layer Protocol

Mitigation:
  • Awareness: Ensure that employees and stakeholders are aware of the threat posed by BPFDoor and the importance of following security best practices, such as avoiding suspicious emails and links and keeping software up-to-date.
  • Patch Management: Regularly apply security patches and updates to the operating system, applications, and firmware to close any vulnerabilities that may be exploited by attackers.
  • Endpoint protection: Implement robust endpoint protection solutions to detect and prevent the spread of malware, including BPFDoor.
  • Network Segmentation: Segment the network into smaller, secure zones to reduce the attack surface and limit the spread of malware if a breach occurs.
  • Backup and Recovery: Regularly back up critical data and implement a robust disaster recovery plan to ensure that business operations can continue in the event of a successful attack.
  • Monitoring: Monitor the network for unusual activity and implement security tools such as intrusion detection systems and log analysis tools to detect any potential threats.
  • Incident Response Plan: Have an incident response plan in place to quickly and effectively respond to a breach or attack, including procedures for isolating affected systems and preserving evidence for forensic analysis.



Backdoor:Linux/BPFDoor.E!MTB  REF
Detected by Microsoft Defender Antivirus
Aliases: No associated aliases

Summary
Microsoft Defender Antivirus detects and removes this threat.

This threat can give a malicious hacker unauthorized access and control of your PC.

What to do now
Use the following free Microsoft software to detect and remove this threat:

Windows Defender  for Windows 10 and 8.1, or Microsoft Security Essentials for Windows 7 and Windows Vista
Microsoft Safety Scanner
You should also run a full scan. A full scan might find other hidden malware.

Get more help
You can also see our advanced troubleshooting page for more help.

If you’re using Windows XP, see our Windows XP end of support page.
Introduction:

Cybersecurity threats are becoming more and more sophisticated, and advanced persistent threat (APT) groups are a major cause for concern. One such group that has been active since is Red Menshen, a China-based APT group that has been conducting cyber espionage operations against government agencies, military organizations, corporations, and more. In this post, we'll take a closer look at the threat posed by Red Menshen and its custom backdoor, BPFDoor.

About Red Menshen:

Red Menshen is a highly effective and persistent APT group that has been targeting a variety of organizations across the globe. The group is known for its use of custom-built tools, making it a formidable threat. Some of the sectors that have been targeted by Red Menshen include telecommunications providers, government entities, education institutions, and logistics companies.

BPFDoor: A Custom Backdoor

One of the tools used by Red Menshen is BPFDoor, a custom backdoor that has been observed in attacks against organizations in the US, South Korea, Hong Kong, Turkey, India, Viet Nam, Myanmar, and more. BPFDoor is used by the group to gain unauthorized access to targeted systems and carry out post-exploitation activities, such as stealing sensitive information and moving laterally within the network.

BPFDoor is a highly evasive backdoor that doesn't open any inbound network ports, doesn't use an outbound command and control (C2), and renames its own process in Linux. This makes it difficult for security systems to detect.

Florian Roth found BPFDoor controller source code 

Sample

https[:]//virustotal[.]com[/]gui[/]file[/]8b9db0bc9152628bdacc32dab01590211bee9f27d58e0f66f6a1e26aea7552a6[/]detection

Source
https[:]//pastebin[.]com[/]kmmJuuQP

This refers to an outdated version of the implant from around 2018, which can be found on the website Pastebin.


Image

Image
File Name Description Actions
yir-cyber-threats-report-download.pdf Red Dev Redemption
BPFDoor — an active Chinese global surveillance tool _ by Kevin Beaumont _ DoublePulsar.pdf BPFDoor is interesting. It allows a threat actor to backdoor a system for remote code execution
APT Name Aliases Target Countries Source Countries Total IOCs
Red Menshen
RedDev18
None
timeline History Timeline
  • Wed, 01 Feb 2023 10:35:29 GMT
    New Report Added

    BPFDoor — an active Chinese global surveillance tool report added.
  • Wed, 01 Feb 2023 10:16:53 GMT
    New Report Added

    Cyber Threats 2021: A Year in Retrospect report added.
  • Wed, 01 Feb 2023 08:53:55 GMT
    New IOC's Added

    Total 43 IOC's added.
  • Wed, 01 Feb 2023 08:46:01 GMT
    New Apt Groups Added

    New APT Groups added.
  • Tue, 31 Jan 2023 15:16:02 GMT
    Created!

    New Campaign created.
  • Sun, 08 May 2022 00:00:00 GMT
    BPFDoor Source Code
    Florian Roth found BPFDoor controller source code
  • Sat, 07 May 2022 00:00:00 GMT
    Target
    Targeting of telecommunications providers across the United States, Asia, and the Middle East. Go to Link
  • Fri, 01 Jan 2021 00:00:00 GMT
    BPFDoor & Red Menshen
    Throughout 2021, researchers monitored and responded to various breaches attributed to a China-based adversary referred to as "Red Menshen". Go to Link
Subscribe