In a recent breakthrough, cybersecurity experts have unearthed a new variant of the Linux remote access trojan (RAT) known as BIFROSE. This sophisticated malware employs a cunning strategy by adopting a deceptive domain that closely resembles VMware, a leading virtualization software provider.
Pioneered by researchers Anmol Maurya and Siddharth Sharma from Palo Alto Networks Unit 42, the discovery sheds light on the evolving tactics employed by cybercriminals to evade detection and compromise targeted systems.
BIFROSE isn’t a newcomer to the scene. Originating back in 2004, this notorious threat has persisted over the years, exchanging hands in underground forums for substantial sums, sometimes fetching up to $10,000, as reported by Trend Micro in December 2015.
Attributed to the BlackTech hacking group, which has affiliations with state-backed entities in China, BIFROSE has a history of targeting organizations across Japan, Taiwan, and the United States. It’s believed that the group gained access to BIFROSE’s source code around 2010 and has since repurposed it for its nefarious campaigns, employing custom backdoors like KIVARS and XBOW.
Linux variants of BIFROSE, also known as ELF_BIFROSE, have been in circulation since at least 2020, boasting capabilities to execute remote commands, transfer files, and manipulate file systems. The modus operandi of BIFROSE involves infiltration through email attachments or malicious websites, enabling attackers to glean sensitive information such as hostnames and IP addresses from compromised systems.
What sets this latest variant apart is its utilization of a deceptive domain, “download.vmfare[.]com,” designed to mimic VMware’s infrastructure. By exploiting this ruse, BIFROSE attempts to conceal its malicious activities. Notably, the deceptive domain is routed through a Taiwan-based public DNS resolver, utilizing the IP address 168.95.1[.]1.
Unit 42’s telemetry reveals a surge in BIFROSE activity since October 2023, with the identification of over 104 artifacts, including an Arm version of the malware. This indicates a concerted effort by threat actors to diversify their attack vectors and broaden their scope of impact.
“With the emergence of new variants employing deceptive domain strategies like typosquatting, the recent uptick in BIFROSE activity underscores the inherent dangers posed by this malware,” affirm the researchers.
In parallel developments, McAfee Labs has documented a GuLoader campaign, which leverages malicious SVG file attachments in email correspondence to propagate the malware. Moreover, BIFROSE has been distributed via VBS scripts as part of a multi-stage payload delivery system, showcasing the malware’s adaptability and evasion techniques.
Trustwave SpiderLabs also highlighted the evolving landscape of cyber threats, citing the recent surge in BIFROSE and GuLoader activities as indicative of their quest for broader reach and enhanced evasion tactics.
Interestingly, these developments unfold amidst the backdrop of a crackdown on cybercriminal operations. The recent dismantling of infrastructure and arrests of operators associated with the Warzone RAT by the U.S. government reflect concerted efforts to mitigate the pervasive threat posed by malware.
As cybersecurity experts intensify their efforts to combat evolving threats, vigilance and proactive measures remain paramount in safeguarding against malicious incursions. The discovery of the new BIFROSE variant underscores the necessity for robust cybersecurity frameworks and collaborative initiatives to mitigate the ever-present risks inherent in the digital landscape.
Pingback: Pegasus Spyware: U.S. Court Mandates NSO Group to Surrender Code to Whatsapp