BPFDoor - S1161 (8d1f89fd-4dde-40ab-80e0-a7b80249162e)

BPFDoor is a Linux based passive long-term backdoor used by China-based threat actors. First seen in 2021, BPFDoor is named after its usage of Berkley Packet Filter (BPF) to execute single task instructions. BPFDoor supports multiple protocols for communicating with a C2 including TCP, UDP, and ICMP and can start local or reverse shells that bypass firewalls using iptables.(Citation: Sandfly BPFDoor 2022)(Citation: Deep Instinct BPFDoor 2023)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Socket Filters - T1205.002 (005cc321-08ce-4d17-b1ea-cb5275926520)	Attack Pattern	BPFDoor - S1161 (8d1f89fd-4dde-40ab-80e0-a7b80249162e)	Malware	1
Break Process Trees - T1036.009 (34a80bc4-80f2-46e6-94ff-f3265a4b657c)	Attack Pattern	BPFDoor - S1161 (8d1f89fd-4dde-40ab-80e0-a7b80249162e)	Malware	1
BPFDoor - S1161 (8d1f89fd-4dde-40ab-80e0-a7b80249162e)	Malware	Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b)	Attack Pattern	1
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	BPFDoor - S1161 (8d1f89fd-4dde-40ab-80e0-a7b80249162e)	Malware	1
Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56)	Attack Pattern	BPFDoor - S1161 (8d1f89fd-4dde-40ab-80e0-a7b80249162e)	Malware	1
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	BPFDoor - S1161 (8d1f89fd-4dde-40ab-80e0-a7b80249162e)	Malware	1
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	BPFDoor - S1161 (8d1f89fd-4dde-40ab-80e0-a7b80249162e)	Malware	1
BPFDoor - S1161 (8d1f89fd-4dde-40ab-80e0-a7b80249162e)	Malware	Mutual Exclusion - T1480.002 (49fca0d2-685d-41eb-8bd4-05451cc3a742)	Attack Pattern	1
BPFDoor - S1161 (8d1f89fd-4dde-40ab-80e0-a7b80249162e)	Malware	Overwrite Process Arguments - T1036.011 (514dc7b3-0b80-4382-80a9-2e2d294f5019)	Attack Pattern	1
Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852)	Attack Pattern	BPFDoor - S1161 (8d1f89fd-4dde-40ab-80e0-a7b80249162e)	Malware	1
Impair Command History Logging - T1562.003 (8f504411-cb96-4dac-a537-8d2bb7679c59)	Attack Pattern	BPFDoor - S1161 (8d1f89fd-4dde-40ab-80e0-a7b80249162e)	Malware	1
Ignore Process Interrupts - T1564.011 (4a2975db-414e-4c0c-bd92-775987514b4b)	Attack Pattern	BPFDoor - S1161 (8d1f89fd-4dde-40ab-80e0-a7b80249162e)	Malware	1
BPFDoor - S1161 (8d1f89fd-4dde-40ab-80e0-a7b80249162e)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	1
Socket Filters - T1205.002 (005cc321-08ce-4d17-b1ea-cb5275926520)	Attack Pattern	Traffic Signaling - T1205 (451a9977-d255-43c9-b431-66de80130c8c)	Attack Pattern	2
Break Process Trees - T1036.009 (34a80bc4-80f2-46e6-94ff-f3265a4b657c)	Attack Pattern	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b)	Attack Pattern	2
Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	2
Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852)	Attack Pattern	Mutual Exclusion - T1480.002 (49fca0d2-685d-41eb-8bd4-05451cc3a742)	Attack Pattern	2
Overwrite Process Arguments - T1036.011 (514dc7b3-0b80-4382-80a9-2e2d294f5019)	Attack Pattern	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	Impair Command History Logging - T1562.003 (8f504411-cb96-4dac-a537-8d2bb7679c59)	Attack Pattern	2
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	Ignore Process Interrupts - T1564.011 (4a2975db-414e-4c0c-bd92-775987514b4b)	Attack Pattern	2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	2