Bifrost | |
Additional Names | elf.bifrose |
Type of Malware | RAT |
Country of Origin | Unknown |
Date of initial activity | 2004 |
Associated Groups | BlackTech (aka Circuit Panda, HUAPI, Manga Taurus, Palmerworm, PLEAD, Red Djinn, and Temp.Overboard) |
Motivation | Gather sensitive information, like hostname and IP address |
Attack vectors | Attackers typically distribute Bifrost through email attachments or malicious websites |
Targeted systems | Linux |
Overview
First identified in the early 2000’s, it is believed a hacking group (likely BlackTech), purchased the source code or gained access to it around 2010, and enhanced the malware for use in its own campaigns. Linux version of the bifrose malware that originally targeted Windows platform only. Researchers from Palo Alto Networks’ Unit 42 have noticed a recent surge in Bifrost’s activity, prompting them to conduct an investigation that uncovered an updated and more covert variant.
Bifrost collects the victim’s hostname, IP address, and process IDs, then uses RC4 encryption to secure it before transmission, and then exfiltrates it to the C2 via a newly created TCP socket. A new Linux variant of the Bifrost remote access trojan (RAT) employs several novel evasion techniques, including the use of a deceptive domain that was made to appear as part of VMware.
Targets
Regular Users and organizations.
Tools/ Techniques Used
Obfuscation Techniques: The attackers have stripped the malware binary of its debugging information and symbol tables. Think of this as removing the blueprints that security researchers would normally use to analyze the malware’s structure and logic. This deliberate obfuscation makes reverse engineering and tracing the malware’s origins more challenging.
Information Gathering: Once Bifrost infects a system, it embarks on a reconnaissance mission. It stealthily gathers sensitive details such as the machine’s hostname and IP address. This initial data harvesting enables attackers to customize their attack techniques for maximum impact.
Encryption in Transit: To further protect its operations, Bifrost encrypts the stolen data before sending it back to its C2 server. It employs the RC4 encryption algorithm, which acts like a digital lockbox, shielding the contents from prying eyes during transmission. This makes it much more difficult for defenders to monitor the network and decipher the stolen information.
Targeting ARM Systems: A particularly concerning aspect of this Bifrost variant is the inclusion of an ARM-based version. ARM architecture is dominant in mobile devices, embedded systems, and the burgeoning world of IoT. This development indicates that attackers are expanding the malware’s potential attack surface, seeking to exploit the wide range of devices that sometimes lack the same robust security as traditional laptops and desktops.
The latest version of Bifrost reaches out to a command and control (C2) domain with a deceptive name, download.vmfare[.]com, which appears similar to a legitimate VMware domain. This is a practice known as typosquatting. By leveraging this deceptive domain, the threat actors behind Bifrost aim to bypass security measures, evade detection, and ultimately compromise targeted systems.
Impact / Significant Attacks
While there isn’t a single “significant” attack attributed solely to Bifrost, it has been implicated in various cyber incidents over the years. Since Bifrost is a Remote Access Trojan (RAT), it’s often used as part of broader cybercrime campaigns rather than being the sole focus of attention.
References
- The Art of Domain Deception: Bifrost’s New Tactic to Deceive Users
- Bifrost Malware: Linux Beware! New Variant Leverages Deceptive Domain for Evasion
