New Linux variant of BIFROSE RAT uses deceptive domain strategies

Pierluigi Paganini March 04, 2024

A new Linux variant of the remote access trojan (RAT) BIFROSE (aka Bifrost) uses a deceptive domain mimicking VMware.

Palo Alto Networks Unit 42 researchers discovered a new Linux variant of Bifrost (aka Bifrose) RAT that uses a deceptive domain (download.vmfare[.]com) that mimics the legitimate VMware domain.

The Bifrost RAT has been active since 2004, it allows its operators to gather sensitive information, including hostname and IP address. BIFROSE has data stealing capability, but it is mostly popular for its keylogging routines. The researchers also observed a spike in Bifrost’s Linux variants during the past few months.

The RAT is typically distributed through email attachments or malicious websites.

“The latest version of Bifrost reaches out to a command and control (C2) domain with a deceptive name, download.vmfare[.]com, which appears similar to a legitimate VMware domain.” reads the analysis published by Unit 42. “This is a practice known as typosquatting. By leveraging this deceptive domain, the threat actors behind Bifrost aim to bypass security measures, evade detection, and ultimately compromise targeted systems.”

The sample binary analyzed by the experts is compiled for x86, the authors removed debugging information and symbol tables to hinder analysis.

The recent sample of Linux variants of BIFROSE employes RC4 encryption to encrypt the collected victim data.

The researchers observed the malware trying to contact a Taiwan-based public DNS resolver with the IP address 168.95.1[.]1.

Bifrost Bifrose

The researchers observed the malware initiating a DNS query to resolve the domain download.vmfare[.]com by using the public DNS resolver at 168.95[.]1.1. This technique is used to ensure that the malware can successfully connect to its intended destination.

Bifrost Bifrose

The spike in Bifrost activity observed by Palo Alto Networks started in October 2023, the cybersecurity firm detected more than 100 instances (hashes) of malware samples.

The experts also discovered an Arm version of the Bifrose malware, a circumstance that led the researchers into believing that the authors are expanding their operations.

“The Bifrost RAT remains a significant and evolving threat to individuals and organizations alike. With new variants that employ deceptive domain strategies like typosquatting, a recent spike in Bifrost activity highlights the dangerous nature of this malware.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Bifrost)



you might also like

leave a comment