Bifrose | |
Additional Names | Backdoor-CKA, Agent.MJ, Kivars |
Type of Malware | Backdoor |
Country of Origin | Unknown |
Date of initial activity | 2000 |
Associated Groups | BlackTech (aka Circuit Panda, HUAPI, Manga Taurus, Palmerworm, PLEAD, Red Djinn, and Temp.Overboard) |
Motivation | Transfer files to and from an infected system, delete files, terminate processes, and steal sensitive information off an infected system. It can also access and modify registry information, log and retrieve keystrokes, create a remote shell, issue commands that the infected user’s shell can offer, and routinely capture and retrieve images of an affected user’s screen. |
Attack vectors | Downloaded from the Internet, Via social networking sites, Downloaded by other malware/grayware/spyware, Dropped by other malware. Bifrose also can be transferred via email attachments, pirated software, and exploit kits. |
Targeted systems | Windows |
Variants | Backdoor:Win32/Bifrose. Win32/Bifrose, Backdoor:Win32/Bifrose.EX, Win32/Bifrose (Microsoft); BackDoor-CEP.svr (McAfee); Trojan Horse (Symantec); Trojan.Win32.Agent.bcn, Backdoor.Win32.Bifrose.aci (Kaspersky); Win32.Sality.ek (v) (Sunbelt); Backdoor.Bifrost.IS (FSecure) Win32/Kryptik.AAHE (ESET) Backdoor.Win32.Bifrose (Ikarus) Mal/Behav-043 (Sophos) Mal_OtorunN (Trend Micro) TR/Strictor.500.1 (Avira) Worm/Win32.AutoRun (AhnLab) |
Overview
First identified in the early 2000’s, it is believed a hacking group (likely BlackTech), purchased the source code or gained access to it around 2010, and enhanced the malware for use in its own campaigns. It was mainly active in Windows 95 through Windows 10, although since Microsoft started to implement better security features in its operating system, Bifrose hasn’t been as dangerous.
Bifrose can be used to create a network of compromised computers used in large-scale DDoS attacks. BIFROSE malware are backdoors that often arrive on systems either downloaded by unsuspecting users when visiting malicious sites or downloaded by other malware/spyware from remote sites. They may also be dropped by other malware.
Some BIFROSE variants have rootkit capabilities, enabling them to hide processes and files from the user.
As backdoor malware, BIFROSE variants connect to various URLs or remote IPs to send and receive information from a malicious user. This allows a remote malicious user to gain control over affected system. Thus, a remote user is able to execute files, screen capture, keylog, view system information, view processes, and retrieve user names and passwords.
In 2010, BIFROSE variants have been spotted as the final payload for threats such as spammed messages, with the user inadvertently downloading the said variants through malicious links in the spammed emails.
Targets
Organizations and regular users.
Tools/ Techniques Used
- Manage running processes
- Manipulate files or registry data
- Obtain installed program details
- Log keystrokes
- Screen capturing
- System shutdown or reboot
- Command shell
- Find passwords
The program also has the following server options:
Can connect through Socks 4 proxies.
Able to user TOR plugin, useful for hiding the network activity
Persistent server option (if the file is deleted, it will rewrite itself again to the disc and registry)
Able to inject itself to user defined processes
Can include plugins pack for more functionality
Offline keylogger
Installation
The server is usually installed in to following folders:
%Program Files%
%System%
%Windir%
After the installation, Bifrose tries to locate a running web browser and inject code into it. The injected code is the actual backdoor. The backdoor starts to communicate with the server part using specially crafted HTTP queries. The server can instruct the backdoor to execute the following actions:
Basic file operations (copy, delete, rename, find, execute)
Download/upload files
Process operations (list, kill)
Registry operations (create/delete keys/values)
Create screenshots of the desktop
Backdoor:Win32/Bifrose.IQ
This backdoor trojan uses your computer in conjunction with many other infected computers to launch attacks against certain IT companies. These attacks are designed to cripple those companies’ abilities to run properly, and are known as distributed denial of service (DDoS) attacks. The trojan also attempts to download and run other files, which may be malware.
Payload
Performs distributed denial of service (DDoS) attacks
Backdoor:Win32/Bifrose.IQ attempts to use your computer to perform distributed denial of service (DDoS) attacks against certain IT companies.
Downloads other files (which may be malware)
When installed on your computer, Backdoor:Win32/Bifrose.IQ attempts to access and download files from secure-system-updates.net/<removed>/system/update.php. The URL is no longer available, so we are unable to confirm the nature of the downloaded files.
Additional information
Backdoor:Win32/Bifrose.IQ creates the following mutexes, possibly as an infection marker to prevent multiple instances running on your computer:
- 2CBE016A-8F28-4E0C-83A6-6079161294D7
- Bif123
Impact / Significant Attacks
Shrouded Crossbow
This campaign, first observed in 2010, is believed to be operated by a well-funded group given how it appeared to have purchased the source code of the BIFROST backdoor, which the operators enhanced and created other tools from. Shrouded Crossbow targeted privatized agencies and government contractors as well as enterprises in the consumer electronics, computer, healthcare, and financial industries.
Shrouded Crossbow employs three BIFROST-derived backdoors: BIFROSE, KIVARS, and XBOW. Like PLEAD, Shrouded Crossbow uses spear-phishing emails with backdoor-laden attachments that utilize the RTLO technique and accompanied by decoy documents.
BIFROSE, known for evading detection by communicating with its C&C servers via Tor protocol, also has a version targeting UNIX-based operating systems, which are usually used in servers, workstations, and mobile devices. KIVARS has less functionality than BIFROSE, but its modular structure made it easier to maintain. KIVARS enabled attackers to download and execute files, list drives, uninstall malware service, take screenshots, activate/deactivate keylogger, show/hide active windows, and trigger mouse clicks and keyboard inputs. Shrouded Crossbow gets its name from its unique mutex format.
“Here you have” spam campaign
One of the past incidents Trend Micro saw use BIFROSE was the “Here you have” spam campaign from 2010. The attack targeted human resource (HR) personnel of government offices such as the African Union and the NATO.
The BIFROSE variant (detected as BKDR_BIFROSE.ZTBG-A and has the hash 5e2844b20715d0806bfa28bd0ebcba6cbb637ea1) used against the device manufacturer is able to do the following information stealing routines:
- Download a file
- Upload a file
- Get file details (file size, last modified time)
- Create a folder
- Delete a folder
- Open a file using ShellExecute
- Execute a command line
- Rename a file
- Enumerate all windows and their process IDs
- Close a window
- Move a window to the foreground
- Hide a window
- Send keystrokes to a window
- Send mouse events to a window
- Terminate a process
- Get display resolution
- Upload contents of %Windows%\winieupdates\klog.dat
- Capture screenshot or webcam image
References
- Bifrose
- BIFROSE
- Backdoor:W32/Bifrose
- BIFROSE Now More Evasive Through Tor, Used for Targeted Attack
- The Trail of BlackTech’s Cyber Espionage Campaigns
- The Malicious Intent of the “Here You Have” Mail Worm, Part 2
- Backdoor:Win32/Bifrose.IQ
- Backdoor:Win32/Bifrose
