Rewterz Threat Alert – Bifrost Malware Deceives Linux Users with New Tactic – Active IOCs

Severity

High

Analysis Summary

The emergence of a new Linux variant of the Bifrost remote access trojan (RAT) represents a concerning development in the landscape of cyber threats. This variant employs innovative evasion techniques including the use of a deceptive domain that mimics a legitimate VMware domain, thus enhancing its stealth capabilities and making detection more challenging.

Researchers have identified this variant, highlighting its potential to bypass security measures and compromise targeted systems effectively. Bifrost, a long-standing RAT first identified two decades ago, has undergone significant evolution as evidenced by the recent spike in activity. The analysis of the latest samples reveals enhancements to the malware’s operational and evasion capabilities. Notably, the use of stripped binary forms without debugging information or symbol tables complicates analysis efforts, further emphasizing the sophistication of the threat.

The inclusion of an ARM version of Bifrost indicates a strategic move by attackers to broaden their targeting scope to ARM-based architectures, which are increasingly prevalent in various environments. This adaptation underscores the adaptability of threat actors and their efforts to exploit vulnerabilities across diverse system architectures. The analysis of the latest Bitfrost samples has uncovered several interesting updates that enhance the malware’s operational and evasion capabilities. First, the command-and-control (C2) server the malware connects to uses a domain that appears similar to a legitimate VMware domain, allowing it to be easily missed during inspection.

By compiling the binary in stripped form without debugging information, the malware hinders analysis efforts, while its use of RC4 encryption and dynamic TCP socket creation complicates the detection and interception of exfiltrated data. Collecting sensitive information like hostname, IP address, and process IDs, Bifrost aims for stealthy lateral movement within networks. Its blend of obfuscation, encryption, and network evasion underscores the need for advanced threat detection and response capabilities to mitigate its impact effectively.

Impact

• Unauthorized Access
• Sensitive Information Theft

Indicators of Compromise

MD5

• e527b3f10217c1d663e567e041947033
• baebf287ad596771a693e6a7c3f88672

SHA-256

• 8e85cb6f2215999dc6823ea3982ff4376c2cbea53286e95ed00250a4a2fe4729
• 2aeb70f72e87a1957e3bc478e1982fe608429cad4580737abe58f6d78a626c05

SHA-1

• 168d8c11681ac4f59f335688b21ef7ffb83bc84d
• cd5851053b823e2dd3fd9c1d3a62ca10a5ea23f4

Domain Name

• download.vmfare.com

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Never trust or open links and attachments received from unknown sources/senders.
• Passwords – Ensure that general security policies are employed including implementing strong passwords, correct configurations, and proper administration security policies.
• Admin Access – limit access to administrative accounts and portals to only relevant personnel and make sure they are not publicly accessible.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Enable antivirus and anti-malware software and update signature definitions on time. Using multi-layered protection is necessary to secure vulnerable assets.