Linux Variants of Bifrost Trojan Evade Detection via Typosquatting

  /     /     /  
Publicated : 23/11/2024   Category : security


Linux Variants of Bifrost Trojan Evade Detection via Typosquatting


Spike in new versions of an old Trojan — which mimic legitimate VMware domains — alarms security researchers.



A 20-year-old Trojan resurfaced recently with new variants that target Linux and impersonate a trusted hosted domain to evade detection.
Researchers from Palo Alto Networks spotted a new Linux variant of the
Bifrost (aka Bifrose) malware
that uses a deceptive practice known as
typosquatting
to mimic a legitimate VMware domain, which allows the malware to fly under the radar.
Bifrost
is a remote access Trojan (RAT) thats been active since 2004 and gathers sensitive information, such as hostname and IP address, from a compromised system.
There has been a worrying spike in Bifrost Linux variants during the past few months: Palo Alto Networks has detected more than 100 instances of Bifrost samples, which raises concerns among security experts and organizations, researchers Anmol Murya and Siddharth Sharma wrote in the companys newly published findings.
Moreover, there is evidence that cyberattackers aim to expand Bifrosts attack surface even further, using a malicious IP address associated with a Linux variant hosting an ARM version of Bifrost as well, they said.
By providing an ARM version of the malware, attackers can expand their grasp, compromising devices that may not be compatible with x86-based malware, the researchers explained. As ARM-based devices become more common, cybercriminals will likely change their tactics to include ARM-based malware, making their attacks stronger and able to reach more targets.
Attackers typically distribute Bifrost through email attachments or malicious websites, the researchers noted, though they didnt elaborate on the initial attack vector for the newly surfaced Linux variants.
Palo Alto researchers observed a sample of Bifrost hosted on a server at the domain 45.91.82[.]127. Once installed on a victims computer, Bifrost reaches out to a command-and-control (C2) domain with a deceptive name, download.vmfare[.]com, which appears similar to a legitimate VMware domain. The malware collects user data to send back to this server, using RC4 encryption to encrypt the data.
The malware often adopts such deceptive domain names as C2 instead of IP addresses to evade detection and make it more difficult for researchers to trace the source of the malicious activity, the researchers wrote.
They also observed the malware trying to contact a Taiwan-based public DNS resolver with the IP address 168.95.1[.]1. The malware uses the resolver to initiate a DNS query to resolve the domain download.vmfare[.]com, a process thats crucial to ensure that Bifrost can successfully connect to its intended destination, according to the researchers.
Though it may be an old-timer when it comes to malware, the Bifrost RAT remains a significant and evolving threat to individuals and organizations alike, particularly with new variants adopting
typosquatting
to evade detection, the researchers said.
Tracking and counteracting malware like Bifrost is crucial to safeguarding sensitive data and preserving the integrity of computer systems, they wrote. This also helps minimize the likelihood of unauthorized access and subsequent harm.
In their post, the researchers shared a list of indicators of compromise, including malware samples and domain and IP addresses associated with the latest Bifrost Linux variants. The researchers advise that enterprises use next-generation firewall products and
cloud-specific security services
— including URL filtering, malware-prevention applications, and visibility and analytics — to secure cloud environments.
Ultimately, the process of infection allows the malware to bypass security measures and evade detection, and ultimately compromise targeted systems, the researchers said.

Last News

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Linux Variants of Bifrost Trojan Evade Detection via Typosquatting