New Linux Variant of BIFROSE RAT Mimics VMware Domain to Evade Detection

Cybersecurity researchers have uncovered a new Linux variant of the BIFROSE remote access trojan (RAT) that disguises itself using a deceptive domain name resembling VMware. The researchers noted that this latest version of BIFROSE is designed to bypass security measures and compromise targeted systems.

BIFROSE, a threat that has been active since 2004, has been available for purchase in underground forums for up to $10,000. It has been linked to the state-backed hacking group BlackTech, which has targeted organizations in Japan, Taiwan, and the U.S. using custom backdoors like KIVARS and XBOW.

Linux variants of BIFROSE, known as ELF_BIFROSE, have been observed since at least 2020. These variants have the capability to launch remote shells, download/upload files, and perform file operations.

The latest variant of BIFROSE stands out for its use of a deceptive command-and-control (C2) server domain name, “download.vmfare[.]com,” to masquerade as VMware. This domain is resolved by contacting a Taiwan-based public DNS resolver with the IP address 168.95.1[.]1.

The researcher has detected a significant increase in BIFROSE activity since October 2023, identifying at least 104 artifacts in its telemetry. The researchers also discovered an Arm version of the malware, indicating that the threat actors are likely expanding their attack surface.

The BIFROSE discovery coincides with McAfee Labs’ report on a new GuLoader campaign that spreads malware through malicious SVG file attachments in email messages. The researcher noted that the malware is also distributed via VBS scripts as part of a multi-stage payload delivery, highlighting its evolving tactics for broader reach and evasion.

These developments occur in the context of the U.S. government’s crackdown on the Warzone RAT, which recently saw two of its operators arrested and its infrastructure dismantled. The ongoing evolution of malware like BIFROSE underscores the importance of robust cybersecurity measures to detect and mitigate such threats.

To protect against the BIFROSE RAT and similar threats, organizations should regularly update their systems and software, deploy robust endpoint protection solutions, and educate employees about the dangers of downloading attachments or clicking on links in unsolicited emails. Additionally, implementing network segmentation and monitoring for unusual network traffic can help detect and mitigate RAT infections.