Linux Variants of Bifrost Trojan Evade Detection via Typosquatting

We Keep you Connected

Linux Variants of Bifrost Trojan Evade Detection via Typosquatting

Spike in new versions of an old Trojan — which mimic legitimate VMware domains — alarms security researchers.
March 7, 2024
A 20-year-old Trojan resurfaced recently with new variants that target Linux and impersonate a trusted hosted domain to evade detection.
Researchers from Palo Alto Networks spotted a new Linux variant of the Bifrost (aka Bifrose) malware that uses a deceptive practice known as typosquatting to mimic a legitimate VMware domain, which allows the malware to fly under the radar. Bifrost is a remote access Trojan (RAT) that's been active since 2004 and gathers sensitive information, such as hostname and IP address, from a compromised system.
There has been a worrying spike in Bifrost Linux variants during the past few months: Palo Alto Networks has detected more than 100 instances of Bifrost samples, which "raises concerns among security experts and organizations," researchers Anmol Murya and Siddharth Sharma wrote in the company's newly published findings.
Moreover, there is evidence that cyberattackers aim to expand Bifrost's attack surface even further, using a malicious IP address associated with a Linux variant hosting an ARM version of Bifrost as well, they said.
"By providing an ARM version of the malware, attackers can expand their grasp, compromising devices that may not be compatible with x86-based malware," the researchers explained. "As ARM-based devices become more common, cybercriminals will likely change their tactics to include ARM-based malware, making their attacks stronger and able to reach more targets."
Attackers typically distribute Bifrost through email attachments or malicious websites, the researchers noted, though they didn't elaborate on the initial attack vector for the newly surfaced Linux variants.
Palo Alto researchers observed a sample of Bifrost hosted on a server at the domain 45.91.82[.]127. Once installed on a victim's computer, Bifrost reaches out to a command-and-control (C2) domain with a deceptive name, download.vmfare[.]com, which appears similar to a legitimate VMware domain. The malware collects user data to send back to this server, using RC4 encryption to encrypt the data.
"The malware often adopts such deceptive domain names as C2 instead of IP addresses to evade detection and make it more difficult for researchers to trace the source of the malicious activity," the researchers wrote.
They also observed the malware trying to contact a Taiwan-based public DNS resolver with the IP address 168.95.1[.]1. The malware uses the resolver to initiate a DNS query to resolve the domain download.vmfare[.]com, a process that's crucial to ensure that Bifrost can successfully connect to its intended destination, according to the researchers.
Though it may be an old-timer when it comes to malware, the Bifrost RAT remains a significant and evolving threat to individuals and organizations alike, particularly with new variants adopting typosquatting to evade detection, the researchers said.
"Tracking and counteracting malware like Bifrost is crucial to safeguarding sensitive data and preserving the integrity of computer systems," they wrote. "This also helps minimize the likelihood of unauthorized access and subsequent harm."
In their post, the researchers shared a list of indicators of compromise, including malware samples and domain and IP addresses associated with the latest Bifrost Linux variants. The researchers advise that enterprises use next-generation firewall products and cloud-specific security services — including URL filtering, malware-prevention applications, and visibility and analytics — to secure cloud environments.
Ultimately, the process of infection allows the malware to bypass security measures and evade detection, and ultimately compromise targeted systems, the researchers said.
Elizabeth Montalbano, Contributing Writer

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

You May Also Like
Assessing Your Critical Applications’ Cyber Defenses
Unleash the Power of Gen AI for Application Development, Securely
The Anatomy of a Ransomware Attack, Revealed
How To Optimize and Accelerate Cybersecurity Initiatives for Your Business
Building a Modern Endpoint Strategy for 2024 and Beyond
Cybersecurity’s Hottest New Technologies – Dark Reading March 21 Event
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Industrial Networks in the Age of Digitalization
Zero-Trust Adoption Driven by Data Protection
How Enterprises Assess Their Cyber-Risk
Proven Success Factors for Endpoint Security
SANS 2021 Cloud Security Survey
The State of Incident Response
A Solution Guide to Operational Technology Cybersecurity
Endpoint Best Practices to Block Ransomware
2023 Snyk AI-Generated Code Security Report
Understanding AI Models to Future-Proof Your AppSec Program
Cybersecurity’s Hottest New Technologies – Dark Reading March 21 Event
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Copyright © 2024 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.