Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

Bifrose (Backdoor) – Malware

March 5, 2024
Reading Time: 8 mins read
in Malware, Types of Malware
Bifrose (Backdoor) – Malware

Bifrose

Additional Names

Backdoor-CKA, Agent.MJ, Kivars

Type of Malware

Backdoor

Country of Origin

Unknown

Date of initial activity

2000

Associated Groups

BlackTech (aka Circuit Panda, HUAPI, Manga Taurus, Palmerworm, PLEAD, Red Djinn, and Temp.Overboard)

Motivation

Transfer files to and from an infected system, delete files, terminate processes, and steal sensitive information off an infected system. It can also access and modify registry information, log and retrieve keystrokes, create a remote shell, issue commands that the infected user’s shell can offer, and routinely capture and retrieve images of an affected user’s screen.

Attack vectors

Downloaded from the Internet, Via social networking sites, Downloaded by other malware/grayware/spyware, Dropped by other malware. Bifrose also can be transferred via email attachments, pirated software, and exploit kits.

Targeted systems

Windows

Variants

Backdoor:Win32/Bifrose. Win32/Bifrose, Backdoor:Win32/Bifrose.EX, Win32/Bifrose (Microsoft); BackDoor-CEP.svr (McAfee); Trojan Horse (Symantec); Trojan.Win32.Agent.bcn, Backdoor.Win32.Bifrose.aci (Kaspersky); Win32.Sality.ek (v) (Sunbelt); Backdoor.Bifrost.IS (FSecure) Win32/Kryptik.AAHE (ESET) Backdoor.Win32.Bifrose (Ikarus) Mal/Behav-043 (Sophos) Mal_OtorunN (Trend Micro) TR/Strictor.500.1 (Avira) Worm/Win32.AutoRun (AhnLab) 

Overview

First identified in the early 2000’s, it is believed a hacking group (likely BlackTech), purchased the source code or gained access to it around 2010, and enhanced the malware for use in its own campaigns. It was mainly active in Windows 95 through Windows 10, although since Microsoft started to implement better security features in its operating system, Bifrose hasn’t been as dangerous.

Bifrose can be used to create a network of compromised computers used in large-scale DDoS attacks. BIFROSE malware are backdoors that often arrive on systems either downloaded by unsuspecting users when visiting malicious sites or downloaded by other malware/spyware from remote sites. They may also be dropped by other malware. Some BIFROSE variants have rootkit capabilities, enabling them to hide processes and files from the user. As backdoor malware, BIFROSE variants connect to various URLs or remote IPs to send and receive information from a malicious user. This allows a remote malicious user to gain control over affected system. Thus, a remote user is able to execute files, screen capture, keylog, view system information, view processes, and retrieve user names and passwords. In 2010, BIFROSE variants have been spotted as the final payload for threats such as spammed messages, with the user inadvertently downloading the said variants through malicious links in the spammed emails.  

Targets

Organizations and regular users.

Tools/ Techniques Used

The Bifrose trojan family is highly configurable. Thus, the locations of their installed files on an infected computer and the TCP ports they use to connect may vary. They allow an attacker to perform any of the following actions on the affected machine:
  • Manage running processes
  • Manipulate files or registry data
  • Obtain installed program details
  • Log keystrokes
  • Screen capturing
  • System shutdown or reboot
  • Command shell
  • Find passwords
The program also has the following server options: Can connect through Socks 4 proxies. Able to user TOR plugin, useful for hiding the network activity Persistent server option (if the file is deleted, it will rewrite itself again to the disc and registry) Able to inject itself to user defined processes Can include plugins pack for more functionality Offline keylogger Installation The server is usually installed in to following folders: %Program Files% %System% %Windir% After the installation, Bifrose tries to locate a running web browser and inject code into it. The injected code is the actual backdoor. The backdoor starts to communicate with the server part using specially crafted HTTP queries. The server can instruct the backdoor to execute the following actions: Basic file operations (copy, delete, rename, find, execute) Download/upload files Process operations (list, kill) Registry operations (create/delete keys/values) Create screenshots of the desktop

Backdoor:Win32/Bifrose.IQ

This backdoor trojan uses your computer in conjunction with many other infected computers to launch attacks against certain IT companies. These attacks are designed to cripple those companies’ abilities to run properly, and are known as distributed denial of service (DDoS) attacks. The trojan also attempts to download and run other files, which may be malware. Payload Performs distributed denial of service (DDoS) attacks Backdoor:Win32/Bifrose.IQ attempts to use your computer to perform distributed denial of service (DDoS) attacks against certain IT companies. Downloads other files (which may be malware) When installed on your computer, Backdoor:Win32/Bifrose.IQ attempts to access and download files from secure-system-updates.net/<removed>/system/update.php. The URL is no longer available, so we are unable to confirm the nature of the downloaded files. Additional information Backdoor:Win32/Bifrose.IQ creates the following mutexes, possibly as an infection marker to prevent multiple instances running on your computer:
  • 2CBE016A-8F28-4E0C-83A6-6079161294D7
  • Bif123

Impact / Significant Attacks

Shrouded Crossbow

This campaign, first observed in 2010, is believed to be operated by a well-funded group given how it appeared to have purchased the source code of the BIFROST backdoor, which the operators enhanced and created other tools from. Shrouded Crossbow targeted privatized agencies and government contractors as well as enterprises in the consumer electronics, computer, healthcare, and financial industries.

Shrouded Crossbow employs three BIFROST-derived backdoors: BIFROSE, KIVARS, and XBOW. Like PLEAD, Shrouded Crossbow uses spear-phishing emails with backdoor-laden attachments that utilize the RTLO technique and accompanied by decoy documents.

BIFROSE, known for evading detection by communicating with its C&C servers via Tor protocol, also has a version targeting UNIX-based operating systems, which are usually used in servers, workstations, and mobile devices. KIVARS has less functionality than BIFROSE, but its modular structure made it easier to maintain. KIVARS enabled attackers to download and execute files, list drives, uninstall malware service, take screenshots, activate/deactivate keylogger, show/hide active windows, and trigger mouse clicks and keyboard inputs. Shrouded Crossbow gets its name from its unique mutex format.

“Here you have” spam campaign

One of the past incidents Trend Micro saw use BIFROSE was the “Here you have” spam campaign from 2010. The attack targeted human resource (HR) personnel of government offices such as the African Union and the NATO.

The BIFROSE variant (detected as BKDR_BIFROSE.ZTBG-A and has the hash 5e2844b20715d0806bfa28bd0ebcba6cbb637ea1) used against the device manufacturer is able to do the following information stealing routines:
  • Download a file
  • Upload a file
  • Get file details (file size, last modified time)
  • Create a folder
  • Delete a folder
  • Open a file using ShellExecute
  • Execute a command line
  • Rename a file
  • Enumerate all windows and their process IDs
  • Close a window
  • Move a window to the foreground
  • Hide a window
  • Send keystrokes to a window
  • Send mouse events to a window
  • Terminate a process
  • Get display resolution
  • Upload contents of %Windows%\winieupdates\klog.dat
  • Capture screenshot or webcam image

References

  • Bifrose
  • BIFROSE
  • Backdoor:W32/Bifrose
  • BIFROSE Now More Evasive Through Tor, Used for Targeted Attack
  • The Trail of BlackTech’s Cyber Espionage Campaigns
  • The Malicious Intent of the “Here You Have” Mail Worm, Part 2
  • Backdoor:Win32/Bifrose.IQ
  • Backdoor:Win32/Bifrose
 
Tags: AttackersBackdoorBifroseBlackTechCybersecurityDDoSKeyloggersMalware
ADVERTISEMENT

Related Posts

Iranian Phishing Campaign (Scam) – Malware

Iranian Phishing Campaign (Scam) – Malware

March 2, 2025
Fake WalletConnect (Infostealer) – Malware

Fake WalletConnect (Infostealer) – Malware

March 2, 2025
SilentSelfie (Infostealer) – Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Sniper Dz (Scam) – Malware

Sniper Dz (Scam) – Malware

March 2, 2025
TikTok Malware Scam (Trojan) – Malware

TikTok Malware Scam (Trojan) – Malware

March 2, 2025
Zombinder (Exploit Kit) – Malware

Zombinder (Exploit Kit) – Malware

March 2, 2025

Latest Alerts

New ZeroCrumb Malware Steals Browser Cookies

TikTok Videos Spread Vidar StealC Malware

CISA Commvault ZeroDay Flaw Risks Secrets

GitLab Patch Stops Service Disruption Risks

3AM Ransomware Email Bomb and Vishing Threat

Function Confusion Hits Serverless Clouds

Subscribe to our newsletter

    Latest Incidents

    Cetus Crypto Exchange Hacked For $223M

    MCP Data Breach Hits 235K NC Lab Patients

    UFCW Data Breach Risks Social Security Data

    Cyberattack Paralyzes French Hauts de Seine

    Santa Fe City Loses $324K In Hacker Scam

    Belgium Housing Hit by Ransomware Attack

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial