Search
Close this search box.
A penguin mascot sits centrally within a red, rough-edged circle against a split background of blue and red. The speckled texture, along with faint, partial text characters, subtly hints at the world of cybersecurity and the DOD's vigilance against any potential threat.

VMware domain is imitated by new Bifrost malware for Linux to avoid detection.

Utilizing a deceptive domain that was made available as part of VMware, a new Linux version of the Bifrost remote access trojan (RAT ) employs a number of novel evasion strategies.

One of the longest-running RAT threats&nbsp is Bifrost, which was first discovered twenty years ago. It collects sensitive information from the host before infecting users with malicious email attachments or payload-dropping websites.

Researchers from Palo Alto Networks ‘ Unit 42 report finding a spike in Bitfrost activity recently, which led them to investigate a novel, more secretive variant.

104 new Bitfrost samples captured since October
Since October ( Unit 42 ), there have been 104 new Bitfrost samples collected.

New Bitfrost strategies

Unit 42 researchers ‘ analysis of the most recent Bitfrost samples has revealed a number of intriguing additions that increase the malware’s evasion and operational capabilities.

First, the “download” command and control ( C2 ) server that the malware connects to uses it. vmfare [. ] The” com” domain, which appears to be comparable to a legitimate VMware domain, makes it difficult to spot when inspected.

Contacting a Taiwan-based public DNS resolver makes tracing and blocking more difficult.

DNS query to resolve the C2 address
DNS query to resolve Unit 42’s C2 address.

Making its analysis more difficult, the malware’s binary is compiled in stripped form without any debugging data or symbol tables.

The victim’s hostname, IP address, and process IDs are collected by Bitfrost, which then sends it to the C2 via a newly created TCP socket using RC4 encryption to secure it before transmission.

Victim data collection
Unit 42: Victim data collection

An ARM version of Bitfrost, which has the same functionality as the x86 samples analyzed in Unit 42’s report, is another intriguing finding.

The development of those builds demonstrates that attackers intend to expand their scope of attack to ARM-based architectures, which are increasingly prevalent in various environments.

The findings made by the Unit 42 team call for increased vigilance even though Bitfrost may not rank highly as a highly sophisticated threat or one of the most widely distributed pieces of malware.

It is obvious that the RAT’s creators want to make it a more secretive threat that can target a wider range of system architectures.

Lean More About DoD Cybersecurity, Cyber Threats and Related Contents

Learn why IDShield offers the best security and value.

www.sentrypc.com

PureVPN - Best VPN and Your Trusted Partner for Internet Freedom

🔥BIG SAVINGS 82% Off PureVPN.🔥 Secure Your Online Privacy Now. LIMITED OFFER!

🔥 SAVE 82% OFF 🔥 on PureVPN! Limited Offer – Enhance Your Digital Security Today.
Click To View Offer on PureVPN Website

NordVPN - Your Passport to Unrestricted Freedom

Embrace Digital Freedom and Security with NordVPN.
🔥Up To 63% Off🔥

Start Today Your Journey to a Safer Internet Today!
Click To View Offer on NordVPN Website

Protect Your Data with DeleteMe the Go-To-Solution

DeleteMe is Your Guardian Against Identity Theft and Online Exposure!
🔥Take 20% Off - Click Here to View Code🔥
Malwarebytes Browser Guard filters out annoying ads and scams while blocking trackers that spy on you.
Malwarebytes for Home | Anti-Malware Premium | Free Trial Download
Try Ultahost - The best place to get secure, inexpensive shared web hosting services!
View deals and specials on Used Macs, Mac hardware, Mac accessories, and more. Shop now!

DoD Cybersecurity protecting your digital world one secure step at a time with DoD Cybersecurity Blogs.
DoDCybersecurityblogs.com | All Rights Reserved | Designed by Omar Solomon

Skip to content