Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

Bifrost (RAT) – Malware

March 5, 2024
Reading Time: 9 mins read
in Malware, Types of Malware
Bifrost (RAT) – Malware

Bifrost

Additional Names

elf.bifrose

Type of Malware

RAT

Country of Origin

Unknown

Date of initial activity

2004

Associated Groups

BlackTech (aka Circuit Panda, HUAPI, Manga Taurus, Palmerworm, PLEAD, Red Djinn, and Temp.Overboard)

Motivation

Gather sensitive information, like hostname and IP address

Attack vectors

Attackers typically distribute Bifrost through email attachments or malicious websites

Targeted systems

Linux

Overview

First identified in the early 2000’s, it is believed a hacking group (likely BlackTech), purchased the source code or gained access to it around 2010, and enhanced the malware for use in its own campaigns. Linux version of the bifrose malware that originally targeted Windows platform only. Researchers from Palo Alto Networks’ Unit 42 have noticed a recent surge in Bifrost’s activity, prompting them to conduct an investigation that uncovered an updated and more covert variant.

Bifrost collects the victim’s hostname, IP address, and process IDs, then uses RC4 encryption to secure it before transmission, and then exfiltrates it to the C2 via a newly created TCP socket. A new Linux variant of the Bifrost remote access trojan (RAT) employs several novel evasion techniques, including the use of a deceptive domain that was made to appear as part of VMware.

Targets

Regular Users and organizations.

Tools/ Techniques Used

Obfuscation Techniques: The attackers have stripped the malware binary of its debugging information and symbol tables. Think of this as removing the blueprints that security researchers would normally use to analyze the malware’s structure and logic. This deliberate obfuscation makes reverse engineering and tracing the malware’s origins more challenging.

Information Gathering: Once Bifrost infects a system, it embarks on a reconnaissance mission. It stealthily gathers sensitive details such as the machine’s hostname and IP address. This initial data harvesting enables attackers to customize their attack techniques for maximum impact.

Encryption in Transit: To further protect its operations, Bifrost encrypts the stolen data before sending it back to its C2 server. It employs the RC4 encryption algorithm, which acts like a digital lockbox, shielding the contents from prying eyes during transmission. This makes it much more difficult for defenders to monitor the network and decipher the stolen information.

Targeting ARM Systems: A particularly concerning aspect of this Bifrost variant is the inclusion of an ARM-based version. ARM architecture is dominant in mobile devices, embedded systems, and the burgeoning world of IoT. This development indicates that attackers are expanding the malware’s potential attack surface, seeking to exploit the wide range of devices that sometimes lack the same robust security as traditional laptops and desktops.

The latest version of Bifrost reaches out to a command and control (C2) domain with a deceptive name, download.vmfare[.]com, which appears similar to a legitimate VMware domain. This is a practice known as typosquatting. By leveraging this deceptive domain, the threat actors behind Bifrost aim to bypass security measures, evade detection, and ultimately compromise targeted systems.

Impact / Significant Attacks

While there isn’t a single “significant” attack attributed solely to Bifrost, it has been implicated in various cyber incidents over the years. Since Bifrost is a Remote Access Trojan (RAT), it’s often used as part of broader cybercrime campaigns rather than being the sole focus of attention.

References

  • The Art of Domain Deception: Bifrost’s New Tactic to Deceive Users
  • Bifrost Malware: Linux Beware! New Variant Leverages Deceptive Domain for Evasion
 
Tags: ArmAttackersBifrostBlackTechCybersecurityMalwareRATRC4 encryptionRemote Access Trojans
ADVERTISEMENT

Related Posts

Iranian Phishing Campaign (Scam) – Malware

Iranian Phishing Campaign (Scam) – Malware

March 2, 2025
Fake WalletConnect (Infostealer) – Malware

Fake WalletConnect (Infostealer) – Malware

March 2, 2025
SilentSelfie (Infostealer) – Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Sniper Dz (Scam) – Malware

Sniper Dz (Scam) – Malware

March 2, 2025
TikTok Malware Scam (Trojan) – Malware

TikTok Malware Scam (Trojan) – Malware

March 2, 2025
Zombinder (Exploit Kit) – Malware

Zombinder (Exploit Kit) – Malware

March 2, 2025

Latest Alerts

GitLab Patch Stops Service Disruption Risks

3AM Ransomware Email Bomb and Vishing Threat

Function Confusion Hits Serverless Clouds

Venom Spiders More Eggs Malware Hits Hiring

Hazy Hawk Hijacks Cloud DNS For Web Scams

Fake Kling AI Sites Spread Malware To Users

Subscribe to our newsletter

    Latest Incidents

    Cyberattack Paralyzes French Hauts de Seine

    Santa Fe City Loses $324K In Hacker Scam

    Belgium Housing Hit by Ransomware Attack

    UK Peter Green Chilled Hit By Ransomware

    Cellcom Cyberattack Causes Service Outage

    Ohio Kettering Health Faces Cyberattack

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial