Linux Variants of Bifrost Trojan Evade Detection via Typosquatting

A 20-year-old Trojan resurfaced recently with new variants that target Linux and impersonate a trusted hosted domain to evade detection.

Researchers from Palo Alto Networks spotted a new Linux variant of the Bifrost (aka Bifrose) malware that uses a deceptive practice known as typosquatting to mimic a legitimate VMware domain, which allows the malware to fly under the radar. Bifrost is a remote access Trojan (RAT) that’s been active since 2004 and gathers sensitive information, such as hostname and IP address, from a compromised system.

There has been a worrying spike in Bifrost Linux variants during the past few months: Palo Alto Networks has detected more than 100 instances of Bifrost samples, which “raises concerns among security experts and organizations,” researchers Anmol Murya and Siddharth Sharma wrote in the company’s newly published findings.

Moreover, there is evidence that cyberattackers aim to expand Bifrost’s attack surface even further, using a malicious IP address associated with a Linux variant hosting an ARM version of Bifrost as well, they said.

“By providing an ARM version of the malware, attackers can expand their grasp, compromising devices that may not be compatible with x86-based malware,” the researchers explained. “As ARM-based devices become more common, cybercriminals will likely change their tactics to include ARM-based malware, making their attacks stronger and able to reach more targets.”

Distribution and Infection

Attackers typically distribute Bifrost through email attachments or malicious websites, the researchers noted, though they didn’t elaborate on the initial attack vector for the newly surfaced Linux variants.

Palo Alto researchers observed a sample of Bifrost hosted on a server at the domain 45.91.82[.]127. Once installed on a victim’s computer, Bifrost reaches out to a command-and-control (C2) domain with a deceptive name, download.vmfare[.]com, which appears similar to a legitimate VMware domain. The malware collects user data to send back to this server, using RC4 encryption to encrypt the data.

“The malware often adopts such deceptive domain names as C2 instead of IP addresses to evade detection and make it more difficult for researchers to trace the source of the malicious activity,” the researchers wrote.

They also observed the malware trying to contact a Taiwan-based public DNS resolver with the IP address 168.95.1[.]1. The malware uses the resolver to initiate a DNS query to resolve the domain download.vmfare[.]com, a process that’s crucial to ensure that Bifrost can successfully connect to its intended destination, according to the researchers.

Safeguarding Sensitive Data

Though it may be an old-timer when it comes to malware, the Bifrost RAT remains a significant and evolving threat to individuals and organizations alike, particularly with new variants adopting typosquatting to evade detection, the researchers said.

“Tracking and counteracting malware like Bifrost is crucial to safeguarding sensitive data and preserving the integrity of computer systems,” they wrote. “This also helps minimize the likelihood of unauthorized access and subsequent harm.”

In their post, the researchers shared a list of indicators of compromise, including malware samples and domain and IP addresses associated with the latest Bifrost Linux variants. The researchers advise that enterprises use next-generation firewall products and cloud-specific security services — including URL filtering, malware-prevention applications, and visibility and analytics — to secure cloud environments.

Ultimately, the process of infection allows the malware to bypass security measures and evade detection, and ultimately compromise targeted systems, the researchers said.

Source: Original Post


“An interesting youtube video that may be related to the article above”