The Deceptive Tactics of the New Linux Bifrost RAT Variant

by | Mar 1, 2024 | News

The Deceptive Tactics of the New Linux Bifrost RAT Variant

Post Views: 224




Join our Patreon Channel and Gain access to 70+ Exclusive Walkthrough Videos.

Patreon
Reading Time: 3 Minutes

In a recent discovery, cybersecurity experts have uncovered a new variant of the infamous Bifrost remote access trojan (RAT) tailored specifically for Linux systems. This sophisticated malware employs a series of innovative evasion techniques, including the utilization of a deceptive domain cleverly disguised to resemble a legitimate VMware entity.

Having plagued digital landscapes for two decades, Bifrost stands as one of the enduring threats in the realm of RATs. Typically disseminated through malicious email attachments or compromised websites, Bifrost infiltrates systems to pilfer sensitive data.

Researchers from Palo Alto Networks’ Unit 42 have noticed a surge in Bifrost’s activities, prompting an in-depth investigation that led to the revelation of this new, more elusive variant.

104 new Bitfrost samples captured since October104 new Bitfrost samples captured since October (Unit 42)

See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses




Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

Enhanced Tactics of the New Bifrost Variant:

Upon scrutinizing the latest Bifrost samples, Unit 42 researchers have uncovered a series of noteworthy updates designed to bolster the malware’s operational efficiency and evade detection.

The malware establishes communication with a command and control (C2) server through the “download.vmfare[.]com” domain, a cunning ruse reminiscent of legitimate VMware domains, thus slipping under the radar of routine inspections. Moreover, the deceptive domain’s resolution involves a Taiwan-based public DNS resolver, further complicating tracing and blocking efforts.

DNS query to resolve the C2 addressDNS query to resolve the C2 address (Unit 42)

From a technical standpoint, the malware’s binary is compiled in a stripped form devoid of debugging information or symbol tables, rendering analysis more challenging.

Bifrost covertly harvests crucial system information including the victim’s hostname, IP address, and process IDs, encrypting the data with RC4 encryption before transmitting it to the C2 via a newly established TCP socket.

Victim data collectionVictim data collection (Unit 42)

Trending: Major Cyber Attacks that shaped 2023




Trending: Offensive Security Techniques Repo: RustRedOps

Additionally, Unit 42’s report sheds light on an ARM version of Bifrost, mirroring the functionality of the x86 samples analyzed. This development underscores the attackers’ intentions to broaden their scope, targeting ARM-based architectures increasingly prevalent across various environments.

While Bifrost may not be hailed as a pinnacle of sophistication or ubiquity in the malware landscape, the revelations by the Unit 42 team underscore the imperative for heightened vigilance. The developers behind this RAT evidently seek to refine it into a more covert threat capable of targeting a diverse array of system architectures, necessitating proactive defense measures.

Trending: SSH-Snake: The Advanced Tactics of an Evolved SSH Worm

Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?

If you want to express your idea in an article contact us here for a quote: [email protected]

Source: bleepingcomputer.com

Source Link

Merch

Recent News

EXPLORE OUR STORE

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!

Information Security Solutions

Find out how Pentesting Services can help you.

Join our Community

Share This