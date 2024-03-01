Cyber ​​security researchers have discovery a new variant of a remote access trojan (RAT) for Linux called BIFROSE (also called Bifrost) which uses a deceptive domain camouflaging itself as the well-known VMware program.

Bifrose: what changes in this Linux variant from the original versions of the malware

“This latest version of Bifrost aims to bypass security measures and compromise target systems“, they have declared Palo Alto Networks Unit 42 researchers Anmol Maurya and Siddharth Sharma.

TWO-FROSE it is a cyber threat that has existed for a long time, dating back to 2004; it has previously been offered for sale on underground forums for up to $10,000, according to a relationship by Trend Micro dated December 2015, one of the first examples of malware-as-a-service.

The malware was used by a hacker group that was sent from China, which is known as BlackTech (also known as Circuit Panda, HUAPI, Manga Taurus, Palmerworm, PLEAD, Red Djinn, and Temp.Overboard), with a history of attacking organizations against Japan, Taiwan and the United States.

Cybercriminals are suspected to have purchased the source code or accessed it around 2010repurposing malware for their own campaigns via custom backdoors like KIVARS and XBOW.

Variants of BIFROSE for Linux (also called ELF_BIFROSE) have been observe at least from 2020, with ability to launch remote shells, download/upload files and perform file operations.

“Attackers typically distribute Bifrost via email attachments or malicious websites“the researchers said. “Once installed on the victim's computer, Bifrost allows the attacker to collect sensitive information, such as the victim's hostname and IP address.”

What makes the most recent variant noteworthy is that it connects to a command and control (C2) server with the name “download.vmfare[.]com” trying to pretend to be the VMware program; the deceptive domain is resolved by contacting a public DNS resolver based in Taiwan, with the IP address 168.95.1[.]1.

Unit 42 said they have detected increased Bifrost activity since October 2023, identifying at least 104 artifacts in their telemetry; they also discovered a version of Bifrost for the ARM architecture, suggesting that threat actors are likely looking to expand their attack surface.

“With new variants using deceptive dominance strategies like typosquatting, a recent spike in Bifrost activity highlights the dangerous nature of this malware“said the researchers.

Development occurs while McAfee Labs has drawn up a report detailed about a new GuLoader campaign that propagates malware via malicious SVG file attachments in emails; The malware was also observed to be distributed via VBS scripts as part of a multiphase payload delivery.

“This recent increase [di Bifrost in circolazione] highlights his evolving tactics for greater reach and evasion“, has stated Trustwave SpiderLabs in an X post from last week.

Bifrost and GuLoader attacks coincide with the release of a new version of the RAT Warzonewhich recently saw two of its operators arrested and its infrastructure dismantled by the US government.

What to do if you come into contact with malware

If you suspect or have reason to believe that you have come into contact with BIFROSE malware, it is essential to immediately take security measures to protect the system and sensitive data; therefore, first of all, it is advisable to isolate the infected computer from the network to prevent the malware from propagating, and also prevent malware from stealing your personal data (and more).

Subsequently, It is important to perform a full system scan using reputable and up-to-date antivirus software (e.g. Windows Defender and Malwarebytes on Windows and ClamAV on Linux); if traces of the malware are detected, it is advisable to remove them by following the instructions provided by the security software or consulting IT security experts.

It is also recommended to change all sensitive passwords and carefully monitor system activity to identify any anomalous behavior and if you believe you are a victim of a targeted attack, It is crucial to immediately inform the relevant authorities and seek assistance from cybersecurity experts for an effective response.

User awareness and readiness to adopt security measures are key to countering cyber threats such as BIFROSE.