A well-funded cyber criminal group targets Asian organizations

Trend Micro announced that the Asian market are being targeted more than ever by well-funded cyber criminal group that appears very organized.

The attacks rely on the Bifrose code to develop their backdoor, a malware that has been around since 2008. In 2014 it was reported that a new version of Bifrose appeared in the wild. Among the improvements observed in the new variant of Bifrose, the use of the Tor network to hide the C&C infrastructure.

“BIFROSE is mostly known for its keylogging routines, but it is capable of stealing far more information than just keystrokes,”. States Trend Micro,

It is a known fact that the Bifrose source code was sold in the past for around $10,000. The experts believe that the cyber criminal group behind the recent attacks against Asian entities is active since 2010 and that they bought the source code of Bifrose. The group has many human and financial resources and owns a wide variety of hacking tools in its arsenal.

 “Our research indicates that the group has sufficient financial resources to purchase the source code of a widely available malware tool, and the human resources to design improved versions of its own backdoors based on this,”. Said Razor Huang, Trend Micro threats analyst.

The cyber criminal group most probably bought the Bifrose source code and improved its capabilities by adding new features

“improving its functions, the group then designed a new installation flow, developed a new builder to create unique loader-backdoor pairs, and made more simple and concise backdoor capabilities, resulting in a new backdoor—KIVARS. This could mean that the operation is either backed financially by its sponsors or the group has the funds and resources to improve on an existing backdoor.” Continues TrendMicro.

It is important to refer that the KIVARS backdoor could be used to target 64-bit systems. Trend Micro explains that KIVARS is most probably linked to Bifrose because they found that “some KIVARS backdoors’ PDB (program database) paths betray the code name of KIVARS to be “BR” + “{year}”. We think that BR mostly likely stands for Bifrose RAT.”

Another malware based on Bifrose developed by the same hacking group back in 2010 is XBOW. XBOW shows the “Recent,” “Desktop,” and “Program” folder paths, which are also present in the BIFROSE and KIVARS phone home messages.

Trend Micro monitored of a recent operation conducted by the cyber criminal group, dubbed Operation Shrouded Crossbow, that focused on the Asian market and in areas such as government contractors, privatized government agencies, and companies in the financial, healthcare, computer and consumer electronics sectors

The experts believe the cyber criminal group owns separated teams for each activity, one for development, another for the infiltration/targeting part, and another one to maintain their C&C infrastructure.

In my opinion, this shows the trend of the last 3 / 4 years, where more and more groups are becoming organized, like a legit company, where they are able to generate enough funds to keep going and improving their methods.

Edited by Pierluigi Paganini

(Security Affairs – well-funded cyber criminal group, hacking, BIFROSE backdoor)