Researchers from Palo Alto Networks’ Unit 42 have uncovered a new variant of the long-standing Bifrost remote access trojan (RAT) specifically targeting Linux systems. This latest iteration of Bifrost introduces several innovative evasion techniques, posing a significant challenge to detection and mitigation efforts.
Bifrost Malware Overview
First detected two decades ago, Bifrost has maintained its presence as a persistent threat, infiltrating systems through malicious email attachments or payload-dropping sites. Once installed, Bifrost stealthily collects sensitive information from the infected host, presenting a formidable risk to organizations and individuals alike.
Recent observations by Unit 42 researchers have revealed a surge in Bifrost’s activity, prompting a detailed investigation into the malware’s latest tactics. Among the key findings is the utilization of a deceptive domain, “download.vmfare[.]com,” cleverly crafted to resemble a legitimate VMware domain.
This tactic aims to evade detection by blending into the background noise of legitimate network traffic, making it harder for security professionals to identify and block malicious communications.
Moreover, the RAT employs stripped binaries devoid of debugging information or symbol tables, complicating analysis efforts and enhancing its stealth capabilities. Bifrost also employs RC4 encryption to secure collected victim data before transmitting it to its command and control (C2) server via a newly created TCP socket, further obfuscating its malicious activities.
Unit 42 researchers have also uncovered an ARM version of the malware, indicating a strategic shift by threat actors towards targeting ARM-based architectures. As ARM-based systems become increasingly prevalent across various environments, this expansion of targeting scope underscores the adaptability and persistence of the threat actors behind Bifrost.
While Bifrost may not be classified as a highly sophisticated threat, the recent discoveries by Unit 42 highlight the ongoing efforts by its developers to enhance its stealth and versatility.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: