New Bifrost malware for Linux mimics VMware domain for evasion

New Bifrost malware for Linux mimics VMware domain for evasion

A new Linux variant of Bifrost, called Bifrose, was detected employing a clever evasion tactic by utilizing a deceptive domain resembling the official VMware domain to avoid detection.

What is Bifrost malware?

Bifrost is a type of malware known as a Remote Access Trojan (RAT). It allows attackers to gain unauthorized access to infected computers remotely.

Once installed on a victim’s system, Bifrost enables attackers to perform various malicious activities, such as stealing sensitive information, monitoring user activity, executing commands, and even controlling the infected computer remotely. Bifrost has been utilized by cybercriminals in targeted attacks against individuals, businesses, and organizations worldwide.


The latest version of Bifrost aims to circumvent security measures and infiltrate target systems.

The cybersecurity industry is alarmed by the recent surge in Linux variants of Bifrost, suggesting a rise in attacks targeting Linux-based systems.

Bifrost Implements Innovative User-Deception Technique

The most recent iteration of Bifrost communicates with a command and control (C2) domain using the deceptive name download.vmfare[.]com, closely resembling a legitimate VMware domain.

“This practice is commonly referred to as typosquatting,” Palo Alto Networks explained to Cyber Security News. Researchers have detected the latest Bifrost sample on a server.


The sample binary is x86-compiled and seems to be stripped, meaning both symbol tables and debugging information have been removed. Attackers typically utilize this tactic to impede analysis.

Initially, the malware employs the setSocket method to establish a socket for communication. Subsequently, it collects user data and sends it to the attacker’s server.

After creating the socket, the malware proceeds to collect user information to transmit it to the attacker’s server.


The latest sample encrypts gathered victim data using RC4 encryption. Subsequently, the malware endeavors to connect with a public DNS resolver situated in Taiwan.

Using the public DNS resolver, the malware initiates a DNS query to resolve the domain download.vmfare[.]com. This step is crucial to ensure the malware can establish a connection with its target location.


In efforts to evade detection, the malware frequently employs deceptive domain names like C2 instead of IP addresses.

Researchers uncovered that a malicious IP address also hosts an ARM version of Bifrost. This version’s presence indicates the attacker’s endeavor to broaden the scope of their attacks.

Therefore, it is paramount to identify and eradicate malware like Bifrost to safeguard sensitive information and uphold the integrity of computer systems. By doing so, the likelihood of unauthorized access and the subsequent damage can be significantly reduced.

Indicators of Compromise

SHA256 HashArchitecture
8e85cb6f2215999dc6823ea3982ff4376c2cbea53286e95ed00250a4a2fe4729x86
2aeb70f72e87a1957e3bc478e1982fe608429cad4580737abe58f6d78a626c05ARM

Domain and IP Addresses

  • download.vmfare[.]com
  • 45.91.82[.]127

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!