A new Linux variant of Bifrost, called Bifrose, was detected employing a clever evasion tactic by utilizing a deceptive domain resembling the official VMware domain to avoid detection.
What is Bifrost malware?
Bifrost is a type of malware known as a Remote Access Trojan (RAT). It allows attackers to gain unauthorized access to infected computers remotely.
Once installed on a victim’s system, Bifrost enables attackers to perform various malicious activities, such as stealing sensitive information, monitoring user activity, executing commands, and even controlling the infected computer remotely. Bifrost has been utilized by cybercriminals in targeted attacks against individuals, businesses, and organizations worldwide.
The latest version of Bifrost aims to circumvent security measures and infiltrate target systems.
The cybersecurity industry is alarmed by the recent surge in Linux variants of Bifrost, suggesting a rise in attacks targeting Linux-based systems.
Bifrost Implements Innovative User-Deception Technique
The most recent iteration of Bifrost communicates with a command and control (C2) domain using the deceptive name download.vmfare[.]com, closely resembling a legitimate VMware domain.
“This practice is commonly referred to as typosquatting,” Palo Alto Networks explained to Cyber Security News. Researchers have detected the latest Bifrost sample on a server.
The sample binary is x86-compiled and seems to be stripped, meaning both symbol tables and debugging information have been removed. Attackers typically utilize this tactic to impede analysis.
Initially, the malware employs the setSocket method to establish a socket for communication. Subsequently, it collects user data and sends it to the attacker’s server.
After creating the socket, the malware proceeds to collect user information to transmit it to the attacker’s server.
The latest sample encrypts gathered victim data using RC4 encryption. Subsequently, the malware endeavors to connect with a public DNS resolver situated in Taiwan.
Using the public DNS resolver, the malware initiates a DNS query to resolve the domain download.vmfare[.]com. This step is crucial to ensure the malware can establish a connection with its target location.
In efforts to evade detection, the malware frequently employs deceptive domain names like C2 instead of IP addresses.
Researchers uncovered that a malicious IP address also hosts an ARM version of Bifrost. This version’s presence indicates the attacker’s endeavor to broaden the scope of their attacks.
Therefore, it is paramount to identify and eradicate malware like Bifrost to safeguard sensitive information and uphold the integrity of computer systems. By doing so, the likelihood of unauthorized access and the subsequent damage can be significantly reduced.
Indicators of Compromise
| SHA256 Hash | Architecture |
| 8e85cb6f2215999dc6823ea3982ff4376c2cbea53286e95ed00250a4a2fe4729 | x86 |
| 2aeb70f72e87a1957e3bc478e1982fe608429cad4580737abe58f6d78a626c05 | ARM |
Domain and IP Addresses
- download.vmfare[.]com
- 45.91.82[.]127
Leave A Comment