Home > Cyber News > Bifrose, APT Backdoors in the Hands of Shrouded Crossbow Group

Bifrose, APT Backdoors in the Hands of Shrouded Crossbow Group

remote-access-trojan-sensorstechforumBifrose, also known as Bifrost, Backdoor:Win32/Bifrose and Backdoor.Bifrose, is a Trojan with backdoor capabilities first discovered in 2004. Just recently, researchers at TrendMicro have detected a new cyber-espionage attack set by a resourceful and well organized criminal group, which targets enterprises related to governments in Asia.

The group is suspected to have been active since 2010. The operation in question has been named after a mutex in a backdoor developed by the group.

Shrouded Crossbow is an operation administered by well-fed cyber criminals with enough human and financial resources to buy and improve the source code of a range of malicious tools. As you may have guessed already, one of the backdoors obtained and actively used by the group is Bifrose. Unfortunately, Bifrose is not the only backdoor in the hands of the attackers.

Other Notable Backdoors:
Duuzer, Brambul and Joanap

Bifrose Backdoor Short History of Attacks

As pointed out by multiple security vendors, the Bifrose backdoor has been around for many years, easily accessible on underground forums.

Let’s go back a little. In 2014, TrendMicro investigated a targeted attack against a device manufacturer. This is when they discovered that a variant of the well-known Bifrose backdoor has re-surfaced the malware horizon. This particular variant was identified and detected as BKDR_BIFROSE.ZTBG-A.

Let’s go back a little more. Another past incident, in 2010, included a spam campaign titled ‘Here you have’. The campaign targeted human resource employees in government offices, including NATO. The case was quite similar to modern APT (advanced persistent threat) attacks.

Taking into consideration the nature of the targeted victims – all somehow connected to governments and governmental organizations – it’s apparent that one cybercriminal group is to blame.

Kivars and Xbow in the Shrouded Crossbow Operation

In the past, Bifrose was sold for up to $10,000. It’s quite amusing that despite Bifrose’s well-known network traffic, the group could still use it sufficiently in their operations.

However, Bifrose is not the only backdoor revived by the group. Another malicious threat taking part in the Shrouded Crossbow operation is Kivars. It’s important to note that Kivars and Bifrose share a similar format of the messages sent back to the attackers.

Kivars may not be as sophisticated as Bifrose but it is still an important backdoor asset for the group. Moreover, in 2013, Kivars began promoting an upgraded 64-bit version, in tune with the popularization of 64-bit systems.

Surprisingly or not, the research team at Trend Micro has shared suspicions that Kivars is in fact an updated and much improved Bifrose:

What we think happened is that the group purchased the source code of BIFROSE, and after improving its functions, the group then designed a new installation flow, developed a new builder to create unique loader-backdoor pairs, and made more simple and concise backdoor capabilities, resulting in a new backdoor—KIVARS. This could mean that the operation is either backed financially by its sponsors or the group has the funds and resources to improve on an existing backdoor.

There’s more. An investigation on another ‘home made’ backdoor – Xbow – indicates that it is the third piece in the current Shrouded Crossbow operation. Its development is traced back to 2010, when the malicious coders were visibly inspired by Bifrose and Kivars. There are striking similarities in the ‘Recent’, ‘Desktop’ and ‘Program’ folder paths in the three backdoors.

Another proof: in the middle of 2011, several Xbow variants had a ‘Find Passwords’ option, a component also available in Bifrose.

Who’s behind the Shrouded Crossbow Operation?

Based on vast analysis on gathered data, researchers at TrendMicro have made quite an interesting conclusion. At least 10 threat actors are responsible for building and spreading Xbow.

One small group may have been in charge of the tool development process. Another team may be in charge of infiltration and successful point of entry in targeted networks.

Spear phishing has been used, as well as spam email campaigns spreading malicious attachments. Such attached files are either .rar or .exe, masqueraded as governmental entities but in fact containing fake information.

One more logical assumption is that a third group is in control of the command & control servers. More than 100 command & control servers have been used in the Shrouded Crossbow operation, some of them registered via free dynamic DNS. Researchers have observed that the C&C support activities like IP changes and renewal of expired domains happen in an organized manner. The worst part? New domains are being registered as we speak.

How to protect your enterprise against the malicious actors?

Security vendors believe that a very small number of organizations have sufficient protection against well-funded and organized groups such as the one behind Bifrose, Kivars and Xbow. TrendMicro’s Deep Discovery platform is one way to improve the protection of an enterprise. The platform enables IT admins to detect, analyze and respond to such advanced attacks.

In addition, make sure to educate your employees. The employment of the following steps is also highly recommended:

  • Preparation. Enterprises should educate their employees and IT personnel of the importance of updated security measures and train them to respond to computer and network security incidents in a swift and adequate manner.
  • Identification. The response team is signaled whenever a possible breach takes place, and should decide whether it is a security incident or something else. The team is often advised to contact the CERT Coordination Center, which tracks and records Internet security activities and collects the most recent information on malicious threats.
  • Containment. The response team decides on the severity and span of the issue. Disconnecting all affected systems and devices to prevent further damage is also applied.
  • Eradication. The response team proceeds with the investigation to disclose the origin of the attack. The root cause of the problem and all malicious code leftovers are eradicated.
  • Recovery. Data and software are restored from clean backup files, making sure that no vulnerabilities are left. Systems are monitored for any sign of proneness to a flaw.
  • Lessons learned. The response team analyzes the attack and the way it was dealt with, and prepares recommendations for better future response and for the sake of incident prevention.
  • Milena Dimitrova

    An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

    More Posts

    Follow Me:

    Leave a Comment

    Your email address will not be published. Required fields are marked *

    Share on Facebook Share
    Share on Twitter Tweet
    Share on Google Plus Share
    Share on Linkedin Share
    Share on Digg Share
    Share on Reddit Share
    Share on Stumbleupon Share