One of the oldest RAT threats has become suspiciously active recently.
There is a new Linux version of the remote access Trojan Bifrost, which uses a number of new masking methods. One of the main tools is a fake domain, similar to a legitimate VMware one.
Bifrost, first discovered 20 years ago, is one of the oldest active RAT threats. It infects users through malicious email attachments or sites that distribute malicious content, and then collects confidential information from the infected computer.
Palo Alto Networks researchers recently recorded a sharp increase in Bitfrost activity. An investigation was initiated, during which it turned out that now the attackers are using a pumped version of the malware.
New Bitfrost Methods
The analysis of the latest Bitfrost samples performed by Unit 42 analysts revealed several interesting updates that improve the Trojan's stealth and expand its capabilities.
First, the command and control server that the Trojan communicates with uses the domain " download.vmfare[.]com" - it resembles VMware. This makes it easy to evade detection.
To resolve a deceptive domain, use the Taiwan public DNS resolver
Bitfrost collects the victim's hostname, IP address, and process IDs, then encrypts the data using RC4 before transmitting it, and exfiltrates it to the C2 server via a newly created TCP socket.
Another innovation highlighted in the report was the ARM version of Bitfrost, which has the same features as the x86 samples analyzed.
The characteristics of these assemblies indicate that the attackers intend to expand the scope of their influence on ARM architectures, which are now actively distributed in various environments.
While Bitfrost may not be among the most sophisticated threats or widespread malware, the discoveries made by the Unit 42 team require increased vigilance.
There is a new Linux version of the remote access Trojan Bifrost, which uses a number of new masking methods. One of the main tools is a fake domain, similar to a legitimate VMware one.
Bifrost, first discovered 20 years ago, is one of the oldest active RAT threats. It infects users through malicious email attachments or sites that distribute malicious content, and then collects confidential information from the infected computer.
Palo Alto Networks researchers recently recorded a sharp increase in Bitfrost activity. An investigation was initiated, during which it turned out that now the attackers are using a pumped version of the malware.
New Bitfrost Methods
The analysis of the latest Bitfrost samples performed by Unit 42 analysts revealed several interesting updates that improve the Trojan's stealth and expand its capabilities.
First, the command and control server that the Trojan communicates with uses the domain " download.vmfare[.]com" - it resembles VMware. This makes it easy to evade detection.
To resolve a deceptive domain, use the Taiwan public DNS resolver
Bitfrost collects the victim's hostname, IP address, and process IDs, then encrypts the data using RC4 before transmitting it, and exfiltrates it to the C2 server via a newly created TCP socket.
Another innovation highlighted in the report was the ARM version of Bitfrost, which has the same features as the x86 samples analyzed.
The characteristics of these assemblies indicate that the attackers intend to expand the scope of their influence on ARM architectures, which are now actively distributed in various environments.
While Bitfrost may not be among the most sophisticated threats or widespread malware, the discoveries made by the Unit 42 team require increased vigilance.
