Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Linux

Linux Variants of Bifrost Trojan Evade Detection via Typosquatting (darkreading.com) 19

"A 20-year-old Trojan resurfaced recently," reports Dark Reading, "with new variants that target Linux and impersonate a trusted hosted domain to evade detection." Researchers from Palo Alto Networks spotted a new Linux variant of the Bifrost (aka Bifrose) malware that uses a deceptive practice known as typosquatting to mimic a legitimate VMware domain, which allows the malware to fly under the radar. Bifrost is a remote access Trojan (RAT) that's been active since 2004 and gathers sensitive information, such as hostname and IP address, from a compromised system.

There has been a worrying spike in Bifrost Linux variants during the past few months: Palo Alto Networks has detected more than 100 instances of Bifrost samples, which "raises concerns among security experts and organizations," researchers Anmol Murya and Siddharth Sharma wrote in the company's newly published findings.

Moreover, there is evidence that cyberattackers aim to expand Bifrost's attack surface even further, using a malicious IP address associated with a Linux variant hosting an ARM version of Bifrost as well, they said... "As ARM-based devices become more common, cybercriminals will likely change their tactics to include ARM-based malware, making their attacks stronger and able to reach more targets."

This discussion has been archived. No new comments can be posted.

Linux Variants of Bifrost Trojan Evade Detection via Typosquatting

Comments Filter:
  • Post Flash (Score:3, Informative)

    by unfriendlyLLM ( 10459763 ) on Saturday March 09, 2024 @09:58PM (#64303513)
    Even if Flash was in itself a largeish attack surface, it Ironically made attacks like these harder.
  • by sew3521 ( 1037710 ) on Saturday March 09, 2024 @10:04PM (#64303517)

    In what world are hostnames and IP addresses considered sensitive?

  • The article is light on details, so it might really be punycode phishing rather than typosquatting
  • by ls671 ( 1122017 ) on Saturday March 09, 2024 @10:34PM (#64303553) Homepage

    Trojan (RAT) that's been active since 2004 and gathers sensitive information, such as hostname and IP address, from a compromised system.

    Oh no! Not my hostname and IP address! Those are the most secret, sensitive and confidential information I keep on my machines!

  • So... (Score:3, Insightful)

    by ElvisGump ( 1018396 ) on Saturday March 09, 2024 @11:22PM (#64303603)

    How do we protect ourselves against the attacks?
    Is there a tool to scan for and remove these trojans?
    "Hey there are hackers after you specifically because of LINUX" but nothing on who, where, what and how to protect ourselves - so thanks for the paranoia?
    Pretty terrible journalism if you ask me...

    • How do we protect ourselves against the attacks?

      According to the source, "Attackers typically distribute Bifrost through email attachments or malicious websites".

      This means:
      * Don't execute email attachments.
      * Don't download programs/packages from shady sites.

      This seems like a low-energy effort to infect machines.

    • by Slayer ( 6656 )

      The typical goto solution to detect trojans and root kits would be ckrootkit [chkrootkit.org], but for some reason it does not list this specific trojan. I would assume, that by the time this thing gets close to you, chrootkit will have detection ready for it.

      To give you some context: this is a trojan, which you catch by installing something you receive as email attachment. As a decadelong avid linux user I can tell you: this requires a lot more interaction than "just click on it", so this doesn't use any zero days or whate

  • Fools! (Score:3, Funny)

    by DongBringer ( 8510047 ) on Saturday March 09, 2024 @11:37PM (#64303611)
    This is but another clever tactic by the Small Dong Initiative! We have penetrated you through your open back doors and have identified your very precious hostnames! Any day now we shall launch our CCP-backed attack on your systems, your IPs, your hostnames, and more! You cannot stand against the rise of the Small Dong!
  • “Attackers typically distribute Bifrost through email attachments or malicious websites, the researchers noted, though they didn't elaborate on the initial attack vector for the newly surfaced Linux variants.”

    “Palo Alto researchers observed a sample of Bifrost hosted on a server at the domain 45.91.82[.]127. Once installed on a victim's computer”
  • snippets from: https://unit42.paloaltonetwork... [paloaltonetworks.com]

    Attackers typically distribute Bifrost through email attachments or malicious websites, the researchers noted, though they didn't elaborate on the initial attack

    Once installed on a victim's computer, Bifrost reaches out to a command-and-control (C2) domain with a deceptive name, download.vmfare[.]com, which appears similar to a legitimate VMware domain. The malware collects user data to send back to this server, using RC4 encryption to encrypt the data.

    It seems like a basic Trojan RAT from 20 years ago that someone has... reanimated. RC4 encryption is old tech that nobody will even touch anymore because it's insecure.

Keep up the good work! But please don't ask me to help.

Working...