Bifrose, also known as Bifrost, Backdoor:Win32/Bifrose and Backdoor.Bifrose, is a Trojan with backdoor capabilities first discovered in 2004. Just recently, researchers at TrendMicro have detected a new cyber-espionage attack set by a resourceful and well organized criminal group, which targets enterprises related to governments in Asia.
The group is suspected to have been active since 2010. The operation in question has been named after a mutex in a backdoor developed by the group.
Shrouded Crossbow is an operation administered by well-fed cyber criminals with enough human and financial resources to buy and improve the source code of a range of malicious tools. As you may have guessed already, one of the backdoors obtained and actively used by the group is Bifrose. Unfortunately, Bifrose is not the only backdoor in the hands of the attackers.
Other Notable Backdoors:
Duuzer, Brambul and Joanap
Bifrose Backdoor Short History of Attacks
As pointed out by multiple security vendors, the Bifrose backdoor has been around for many years, easily accessible on underground forums.
Let’s go back a little. In 2014, TrendMicro investigated a targeted attack against a device manufacturer. This is when they discovered that a variant of the well-known Bifrose backdoor has re-surfaced the malware horizon. This particular variant was identified and detected as BKDR_BIFROSE.ZTBG-A.
Let’s go back a little more. Another past incident, in 2010, included a spam campaign titled ‘Here you have’. The campaign targeted human resource employees in government offices, including NATO. The case was quite similar to modern APT (advanced persistent threat) attacks.
Taking into consideration the nature of the targeted victims – all somehow connected to governments and governmental organizations – it’s apparent that one cybercriminal group is to blame.
Kivars and Xbow in the Shrouded Crossbow Operation
In the past, Bifrose was sold for up to $10,000. It’s quite amusing that despite Bifrose’s well-known network traffic, the group could still use it sufficiently in their operations.
However, Bifrose is not the only backdoor revived by the group. Another malicious threat taking part in the Shrouded Crossbow operation is Kivars. It’s important to note that Kivars and Bifrose share a similar format of the messages sent back to the attackers.
Kivars may not be as sophisticated as Bifrose but it is still an important backdoor asset for the group. Moreover, in 2013, Kivars began promoting an upgraded 64-bit version, in tune with the popularization of 64-bit systems.
Surprisingly or not, the research team at Trend Micro has shared suspicions that Kivars is in fact an updated and much improved Bifrose:
What we think happened is that the group purchased the source code of BIFROSE, and after improving its functions, the group then designed a new installation flow, developed a new builder to create unique loader-backdoor pairs, and made more simple and concise backdoor capabilities, resulting in a new backdoor—KIVARS. This could mean that the operation is either backed financially by its sponsors or the group has the funds and resources to improve on an existing backdoor.
There’s more. An investigation on another ‘home made’ backdoor – Xbow – indicates that it is the third piece in the current Shrouded Crossbow operation. Its development is traced back to 2010, when the malicious coders were visibly inspired by Bifrose and Kivars. There are striking similarities in the ‘Recent’, ‘Desktop’ and ‘Program’ folder paths in the three backdoors.
Another proof: in the middle of 2011, several Xbow variants had a ‘Find Passwords’ option, a component also available in Bifrose.
Who’s behind the Shrouded Crossbow Operation?
Based on vast analysis on gathered data, researchers at TrendMicro have made quite an interesting conclusion. At least 10 threat actors are responsible for building and spreading Xbow.
One small group may have been in charge of the tool development process. Another team may be in charge of infiltration and successful point of entry in targeted networks.
Spear phishing has been used, as well as spam email campaigns spreading malicious attachments. Such attached files are either .rar or .exe, masqueraded as governmental entities but in fact containing fake information.
One more logical assumption is that a third group is in control of the command & control servers. More than 100 command & control servers have been used in the Shrouded Crossbow operation, some of them registered via free dynamic DNS. Researchers have observed that the C&C support activities like IP changes and renewal of expired domains happen in an organized manner. The worst part? New domains are being registered as we speak.
How to protect your enterprise against the malicious actors?
Security vendors believe that a very small number of organizations have sufficient protection against well-funded and organized groups such as the one behind Bifrose, Kivars and Xbow. TrendMicro’s Deep Discovery platform is one way to improve the protection of an enterprise. The platform enables IT admins to detect, analyze and respond to such advanced attacks.
In addition, make sure to educate your employees. The employment of the following steps is also highly recommended: