A 20-year-old Trojan recently resurfaced with new variants that target Linux and impersonate a trusted hosted domain to evade detection.
Palo Alto Networks researchers have identified a new Linux variant of Bifrost malware (also known as Bifrose). which uses a deceptive practice known as typing to mimic a legitimate VMware domain, which allows the malware to fly under the radar. Bifrost is a Remote Access Trojan (RAT) that has been active since 2004 and collects sensitive information, such as hostname and IP address, from a compromised system.
There has been a worrying spike in Bifrost Linux variants in recent months: Palo Alto Networks has detected more than 100 instances of Bifrost samples, which “raises concerns among experts and security organizations,” researchers Anmol Murya and Siddharth wrote Sharma in the company’s corporate statement. results just published.
Additionally, there is evidence that hackers aim to further expand Bifrost’s attack surface, using a malicious IP address associated with a Linux variant that also hosts an ARM version of Bifrost.
“By delivering an ARM version of the malware, attackers can expand their reach, compromising devices that may not be compatible with the x86-based malware,” the researchers explained. “As ARM-based devices become more common, cybercriminals will likely change their tactics to include ARM-based malware, making their attacks stronger and able to achieve more targets.”
Distribution and infection
Attackers typically distribute Bifrost via email attachments or malicious websites, the researchers noted, although they did not elaborate on the initial attack vector for the newly emerged Linux variants.
Palo Alto researchers observed a sample of Bifrost hosted on a server at domain 45.91.82[.]127. Once installed on the victim’s computer, Bifrost accesses a command and control (C2) domain with a misleading name, download.vmfare[.]com, which looks similar to a legitimate VMware domain. The malware collects user data to send to this server, using RC4 encryption to encrypt the data.
“The malware often adopts deceptive domain names such as C2 instead of IP addresses to evade detection and make it more difficult for researchers to trace the source of malicious activity,” the researchers wrote.
They also observed the malware attempting to contact a public DNS resolver based in Taiwan with the IP address 168.95.1[.]1. The malware uses the resolver to initiate a DNS query to resolve the download.vmfare domain[.]com, a process that is crucial to ensuring that Bifrost can successfully connect to its intended destination, according to the researchers.
Protection of sensitive data
While it may be a veteran when it comes to malware, the Bifrost RAT remains a significant and evolving threat to both individuals and organizations, particularly as new variants are adopted typing to evade detection, the researchers said.
“Tracking and countering malware like Bifrost is critical to safeguarding sensitive data and preserving the integrity of computer systems,” they wrote. “This also helps to minimize the likelihood of unauthorized access and resulting damage.”
In their post, the researchers shared a list of indicators of compromise, including malware samples and IP and domain addresses associated with the latest Bifrost Linux variants. Researchers recommend that companies use next-generation firewall products and cloud-specific security services – including URL filtering, malware prevention applications, visibility and analytics – to protect cloud environments.
Ultimately, the infection process allows the malware to bypass security measures and evade detection, ultimately compromising targeted systems, researchers said.