New Bifrost Malware Attacking Linux Servers Evades Security Systems

A new Linux variant of Bifrost, dubbed Bifrose, was observed exhibiting a creative way to avoid detection, such as using a deceptive domain that imitates the official VMware domain.

Bifrost is a remote access Trojan (RAT) that was first discovered in 2004. It is usually distributed by attackers using phishing websites or email attachments.

After being installed on the victim’s computer, Bifrost allows the attacker access to confidential information such as the victim’s IP address and hostname.

Bifrost’s most recent version attempts to bypass security measures and infiltrate target systems.

The cybersecurity industry is concerned about the recent spike in Linux variants of Bifrost, which may indicate an increase in attacks against Linux-based systems.

Bifrost sample detections from October through January 2024

 Novel User-Deception Method Used By Bifrost

“The latest version of Bifrost reaches out to a command and control (C2) domain with a deceptive name, download.vmfare[.]com, which appears similar to a legitimate VMware domain.

This is a practice known as typosquatting”, Palo Alto Networks shared with Cyber Security News. Researchers have identified the most recent Bifrost sample on a server.

The sample binary is x86-compiled and appears to be stripped. A stripped binary has both symbol tables and debugging information removed. Attackers typically employ this tactic to hinder analysis.

The malware initially uses the setSocket method to build a socket to communicate, after which it gathers user data and transmits it to the attacker’s server.

Code flow of the malware seen in a disassemble

Once the socket has been created, the malware gathers user information to transmit it to the attacker’s server.

Collects victim data

The most recent sample encrypts victim data that has been gathered using RC4 encryption. The malware then attempts to establish a connection with a public DNS resolver located in Taiwan.

The malware uses the public DNS resolver to start a DNS query to resolve the domain download.vmfare[.]com. This step is essential to make sure the malware can connect to its target location.

Malware initiating a DNS query to resolve the domain download.vmfare[.]com

To avoid detection, the malware frequently uses misleading domain names such as C2 instead of IP addresses.

Researchers discovered that a malicious IP address also hosts an ARM version of Bifrost. This version’s existence suggests that the attacker is attempting to increase the area of attack.

Therefore, it is essential to detect and eliminate malware such as Bifrost to protect sensitive information and maintain the integrity of computer systems.

This lessens the possibility of unauthorized entry and the damage that could follow.

You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are incredibly harmful, can wreak havoc, and damage your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.