The emergence of a new variant of the Bifrost remote access trojan (RAT) targeting Linux systems has been identified by researchers from Palo Alto Networks’ Unit 42. This variant employs innovative evasion techniques, notably utilizing a deceptive domain that mimics a legitimate VMware domain, thereby enhancing its ability to evade detection during inspection. This development underscores the adaptability of malware creators, as Bifrost, a threat first identified two decades ago, continues to evolve to infiltrate and compromise systems.
Unit 42’s investigation into the recent surge in Bifrost activity revealed significant updates to the malware’s functionality and evasion capabilities. One notable aspect is the use of a deceptive domain, “download.vmfare[.]com,” which closely resembles a legitimate VMware domain. This tactic aims to deceive security measures and increase the likelihood of successful infiltration. Furthermore, the binary is compiled without debugging information, hindering analysis efforts and complicating detection by security tools.
In addition to the deceptive domain tactic, Bifrost’s data exfiltration methods have also evolved. The malware collects sensitive information such as hostname, IP address, and process IDs from infected systems, encrypts it using RC4 encryption, and transmits it to the command and control server via a newly created TCP socket. This demonstrates the malware’s sophistication in covertly extracting valuable data from compromised systems while maintaining operational security.
