Bifrose (Backdoor) – Malware

Overview

First identified in the early 2000’s, it is believed a hacking group (likely BlackTech), purchased the source code or gained access to it around 2010, and enhanced the malware for use in its own campaigns. It was mainly active in Windows 95 through Windows 10, although since Microsoft started to implement better security features in its operating system, Bifrose hasn’t been as dangerous.

Bifrose can be used to create a network of compromised computers used in large-scale DDoS attacks. BIFROSE malware are backdoors that often arrive on systems either downloaded by unsuspecting users when visiting malicious sites or downloaded by other malware/spyware from remote sites. They may also be dropped by other malware. Some BIFROSE variants have rootkit capabilities, enabling them to hide processes and files from the user. As backdoor malware, BIFROSE variants connect to various URLs or remote IPs to send and receive information from a malicious user. This allows a remote malicious user to gain control over affected system. Thus, a remote user is able to execute files, screen capture, keylog, view system information, view processes, and retrieve user names and passwords. In 2010, BIFROSE variants have been spotted as the final payload for threats such as spammed messages, with the user inadvertently downloading the said variants through malicious links in the spammed emails.  

Targets

Organizations and regular users.

Tools/ Techniques Used

• Manage running processes
• Manipulate files or registry data
• Obtain installed program details
• Log keystrokes
• Screen capturing
• System shutdown or reboot
• Command shell
• Find passwords

The program also has the following server options: Can connect through Socks 4 proxies. Able to user TOR plugin, useful for hiding the network activity Persistent server option (if the file is deleted, it will rewrite itself again to the disc and registry) Able to inject itself to user defined processes Can include plugins pack for more functionality Offline keylogger Installation The server is usually installed in to following folders: %Program Files% %System% %Windir% After the installation, Bifrose tries to locate a running web browser and inject code into it. The injected code is the actual backdoor. The backdoor starts to communicate with the server part using specially crafted HTTP queries. The server can instruct the backdoor to execute the following actions: Basic file operations (copy, delete, rename, find, execute) Download/upload files Process operations (list, kill) Registry operations (create/delete keys/values) Create screenshots of the desktop

Backdoor:Win32/Bifrose.IQ

This backdoor trojan uses your computer in conjunction with many other infected computers to launch attacks against certain IT companies. These attacks are designed to cripple those companies’ abilities to run properly, and are known as distributed denial of service (DDoS) attacks. The trojan also attempts to download and run other files, which may be malware. Payload Performs distributed denial of service (DDoS) attacks Backdoor:Win32/Bifrose.IQ attempts to use your computer to perform distributed denial of service (DDoS) attacks against certain IT companies. Downloads other files (which may be malware) When installed on your computer, Backdoor:Win32/Bifrose.IQ attempts to access and download files from secure-system-updates.net/<removed>/system/update.php. The URL is no longer available, so we are unable to confirm the nature of the downloaded files. Additional information Backdoor:Win32/Bifrose.IQ creates the following mutexes, possibly as an infection marker to prevent multiple instances running on your computer:

• 2CBE016A-8F28-4E0C-83A6-6079161294D7
• Bif123

Impact / Significant Attacks

Shrouded Crossbow

This campaign, first observed in 2010, is believed to be operated by a well-funded group given how it appeared to have purchased the source code of the BIFROST backdoor, which the operators enhanced and created other tools from. Shrouded Crossbow targeted privatized agencies and government contractors as well as enterprises in the consumer electronics, computer, healthcare, and financial industries.

Shrouded Crossbow employs three BIFROST-derived backdoors: BIFROSE, KIVARS, and XBOW. Like PLEAD, Shrouded Crossbow uses spear-phishing emails with backdoor-laden attachments that utilize the RTLO technique and accompanied by decoy documents.

BIFROSE, known for evading detection by communicating with its C&C servers via Tor protocol, also has a version targeting UNIX-based operating systems, which are usually used in servers, workstations, and mobile devices. KIVARS has less functionality than BIFROSE, but its modular structure made it easier to maintain. KIVARS enabled attackers to download and execute files, list drives, uninstall malware service, take screenshots, activate/deactivate keylogger, show/hide active windows, and trigger mouse clicks and keyboard inputs. Shrouded Crossbow gets its name from its unique mutex format.

“Here you have” spam campaign

One of the past incidents Trend Micro saw use BIFROSE was the “Here you have” spam campaign from 2010. The attack targeted human resource (HR) personnel of government offices such as the African Union and the NATO.

The BIFROSE variant (detected as BKDR_BIFROSE.ZTBG-A and has the hash 5e2844b20715d0806bfa28bd0ebcba6cbb637ea1) used against the device manufacturer is able to do the following information stealing routines:

• Download a file
• Upload a file
• Get file details (file size, last modified time)
• Create a folder
• Delete a folder
• Open a file using ShellExecute
• Execute a command line
• Rename a file
• Enumerate all windows and their process IDs
• Close a window
• Move a window to the foreground
• Hide a window
• Send keystrokes to a window
• Send mouse events to a window
• Terminate a process
• Get display resolution
• Upload contents of %Windows%\winieupdates\klog.dat
• Capture screenshot or webcam image

References

• Bifrose
• BIFROSE
• Backdoor:W32/Bifrose
• BIFROSE Now More Evasive Through Tor, Used for Targeted Attack
• The Trail of BlackTech’s Cyber Espionage Campaigns
• The Malicious Intent of the “Here You Have” Mail Worm, Part 2
• Backdoor:Win32/Bifrose.IQ
• Backdoor:Win32/Bifrose