Skip to content Skip to footer

New Linux BIFROSE RAT Variant Using Deceptive VMware Domain Detected

A new variant of a long-standing remote access (RAT) called BIFROSE (aka Bifrost) has been discovered by cybersecurity researchers. This latest variant uses a deceptive domain that mimics VMware, making it more difficult to detect. Palo Alto Networks Unit 42 researchers Anmol Maurya and Siddharth Sharma have warned that this latest version of Bifrost is designed to bypass security measures and compromise targeted systems.

BIFROSE has been active since 2004 and has been a significant threat, with reports of it being sold in underground forums for up to $10,000. The has been used by a state-backed hacking group from known as BlackTech, which has a history of targeting organizations in Japan, Taiwan, and the U.S.

It's suspected that the threat actor purchased or gained access to the source code around 2010, repurposing the for use in its campaigns via custom backdoors like KIVARS and XBOW. variants of BIFROSE (aka ELF_BIFROSE) have been observed since at least 2020 with capabilities to launch remote shells, download/upload files, and perform file operations.

The latest variant is noteworthy because it reaches out to a command-and-control (C2) server with the name “download.vmfare[.]com” in an attempt to masquerade as VMware. The deceptive domain is resolved by contacting a Taiwan-based public DNS resolver with the IP address 168.95.1[.]1.

Unit 42 detected a surge in Bifrost activity since October 2023, identifying over 100 artifacts in its telemetry. The researchers further discovered an armed version of the , indicating that the threat actors are likely looking to expand their attack .

Attackers typically distribute Bifrost through email attachments or malicious websites. Once installed on a victim's computer, Bifrost allows the attacker to gather sensitive information like the victim's hostname and IP address. The has also been observed being distributed via VBS scripts as part of a multi-stage payload delivery.

The development comes as McAfee Labs revealed a new GuLoader campaign that propagates the through malicious SVG file attachments in email messages. The Bifrost and GuLoader attacks coincide with the release of a new version of the Warzone RAT, which recently had two of its operators arrested and its infrastructure dismantled by the U.S. government, highlighting the increasing threat posed by these attacks.

Leave a comment

Newsletter Signup

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

- Dade: What is it with this guy?
- Phreak: His parents missed Woodstock, and he's been making up for it since.
Dade & Phreak

Deitasoft © 2024. All Rights Reserved.