Linux Variants of Bifrost Trojan Evade Detection via Typosquatting

"A 20-year-old Trojan resurfaced recently," reports Dark Reading, "with new variants that target Linux and impersonate a trusted hosted domain to evade detection." Researchers from Palo Alto Networks spotted a new Linux variant of the Bifrost (aka Bifrose) malware that uses a deceptive practice known as typosquatting to mimic a legitimate VMware domain, which allows the malware to fly under the radar. Bifrost is a remote access Trojan (RAT) that's been active since 2004 and gathers sensitive information, such as hostname and IP address, from a compromised system.

There has been a worrying spike in Bifrost Linux variants during the past few months: Palo Alto Networks has detected more than 100 instances of Bifrost samples, which "raises concerns among security experts and organizations," researchers Anmol Murya and Siddharth Sharma wrote in the company's newly published findings.

Moreover, there is evidence that cyberattackers aim to expand Bifrost's attack surface even further, using a malicious IP address associated with a Linux variant hosting an ARM version of Bifrost as well, they said... "As ARM-based devices become more common, cybercriminals will likely change their tactics to include ARM-based malware, making their attacks stronger and able to reach more targets."

Re:

[Anonymous Coward]

Bifrost reaches out to a command-and-control domain with a deceptive name, download.vmfare.com, which appears similar to a legitimate VMware domain.

"appears similar to a legitimate VMware domain" ... if you're really stupid.

If I see "vmfare.com" it would never occur to me to associate it with VMware.

Re:

[gweihir]

Also, how does this get into a firewall whitelist? Stupid admin saw it blocked and decided to open it?

Well, Linux is only secure if you know what you are doing. Nil wit windows-admins that though they could make it with Linux will still mess it up.

Re: But. but. but. but...

[NateFromMich]

Linux was supposed to be perfectly secure?

Nobody ever claimed that. That's like talking about unsinkable ships.
Linux came to prominence in the era of Windows 9x, with everyone running everything as system administrator. You talking about things like it's the 90s doesn't make you sound edgy.

Zealots

Yes, that's what you sound like.

Post Flash

[unfriendlyLLM]

Even if Flash was in itself a largeish attack surface, it Ironically made attacks like these harder.

Sensitive Information?

[sew3521]

In what world are hostnames and IP addresses considered sensitive?

Re: Sensitive Information?

[NateFromMich]

Well, I sort of feel the same way, but to answer your question, in a world of DDoS attacks, for one.

Re:

[gweihir]

Well, when you are stupid and have no clue about IT security, you may come to think these are sensitive.

Punycode

[michaelmalak]

The article is light on details, so it might really be punycode phishing rather than typosquatting

Hostname and IP address

[ls671]

Trojan (RAT) that's been active since 2004 and gathers sensitive information, such as hostname and IP address, from a compromised system.

Oh no! Not my hostname and IP address! Those are the most secret, sensitive and confidential information I keep on my machines!

Re:

[93 Escort Wagon]

But without it, I'd have to make a GUI with Visual Basic to track you down!

So...

[ElvisGump]

How do we protect ourselves against the attacks?
Is there a tool to scan for and remove these trojans?
"Hey there are hackers after you specifically because of LINUX" but nothing on who, where, what and how to protect ourselves - so thanks for the paranoia?
Pretty terrible journalism if you ask me...

Re:

[Gravis Zero]

How do we protect ourselves against the attacks?

According to the source, "Attackers typically distribute Bifrost through email attachments or malicious websites".

This means:
* Don't execute email attachments.
* Don't download programs/packages from shady sites.

This seems like a low-energy effort to infect machines.

Re:

[Slayer]

The typical goto solution to detect trojans and root kits would be ckrootkit [chkrootkit.org], but for some reason it does not list this specific trojan. I would assume, that by the time this thing gets close to you, chrootkit will have detection ready for it.

To give you some context: this is a trojan, which you catch by installing something you receive as email attachment. As a decadelong avid linux user I can tell you: this requires a lot more interaction than "just click on it", so this doesn't use any zero days or whate

Fools!

[DongBringer]

This is but another clever tactic by the Small Dong Initiative! We have penetrated you through your open back doors and have identified your very precious hostnames! Any day now we shall launch our CCP-backed attack on your systems, your IPs, your hostnames, and more! You cannot stand against the rise of the Small Dong!

Insert Linux trojan FUD .. ..

[Mirnotoriety]

“Attackers typically distribute Bifrost through email attachments or malicious websites, the researchers noted, though they didn't elaborate on the initial attack vector for the newly surfaced Linux variants.”

“Palo Alto researchers observed a sample of Bifrost hosted on a server at the domain 45.91.82[.]127. Once installed on a victim's computer”

Actual information:

[Gravis Zero]

snippets from: https://unit42.paloaltonetwork... [paloaltonetworks.com]

Attackers typically distribute Bifrost through email attachments or malicious websites, the researchers noted, though they didn't elaborate on the initial attack

Once installed on a victim's computer, Bifrost reaches out to a command-and-control (C2) domain with a deceptive name, download.vmfare[.]com, which appears similar to a legitimate VMware domain. The malware collects user data to send back to this server, using RC4 encryption to encrypt the data.

It seems like a basic Trojan RAT from 20 years ago that someone has... reanimated. RC4 encryption is old tech that nobody will even touch anymore because it's insecure.