New Bifrost malware for Linux mimics VMware domain for evasion


A new Linux variant of the Bifrost remote access trojan (RAT) employs several novel evasion techniques, including the use of a deceptive domain that was made to appear as part of VMware.

First identified twenty years ago, Bifrost is one of the longest-standing RAT threats in circulation. It infects users via malicious email attachments or payload-dropping sites and then collects sensitive information from the host.

Palo Alto Networks’ Unit 42 researchers report observing a spike in Bitfrost’s activity recently, which led to them carry out an investigation that unveiled a new, stealthier variant.

104 new Bitfrost samples captured since October
104 new Bitfrost samples captured since October (Unit 42)

New Bitfrost tactics

The analysis of the latest Bitfrost samples by Unit 42 researchers has uncovered several interesting updates that enhance the malware’s operational and evasion capabilities.

First, the command and control (C2) server the malware connects to uses the “download.vmfare[.]com” domain, which appears similar to a legitimate VMware domain, allowing it to be easily missed during inspection.

The deceptive domain is resolved by contacting a Taiwan-based public DNS resolver, which makes tracing and blocking harder.

DNS query to resolve the C2 address
DNS query to resolve the C2 address (Unit 42)

On the technical side of the malware, the binary is compiled in stripped form without any debugging information or symbol tables, making its analysis harder.

Bitfrost collects the victim’s hostname, IP address, and process IDs, then uses RC4 encryption to secure it before transmission, and then exfiltrates it to the C2 via a newly created TCP socket.

Victim data collection
Victim data collection (Unit 42)

Another new finding highlighted in Unit 42’s report is an ARM version of Bitfrost, which has the same functionality as the x86 samples analyzed in the write-up.

The emergence of those builds shows that the attackers intend to broaden their targeting scope to ARM-based architectures that are now becoming increasingly common in various environments.

Although Bitfrost may not rank as a highly sophisticated threat or one of the most widely distributed pieces of malware, the discoveries made by the Unit 42 team call for increased vigilance.

The developers behind the RAT are clearly aiming to refine it into a more covert threat capable of targeting a wider array of system architectures.



Source link