Bifrost

Malware updated 4 months ago (2024-06-11T14:17:32.072Z)

Download STIX

Preview STIX

Bifrost is a remote access Trojan (RAT) that has been active since 2004, designed to gather sensitive information such as hostname and IP address from compromised systems. The malware has evolved over time, with notable ties to other Trojans like FakeM MSN, Elirks, and Poison Ivy, suggesting the same developer may have been involved in creating these malicious programs. Bifrost's history extends back to attacks as old as 2009, but it has continued to adapt and evolve, posing new threats to system security. In recent years, Bifrost has increasingly targeted Linux servers. A significant development was noted on March 2, 2024, when a new variant of Bifrost was found attacking Linux servers, evading detection by mimicking legitimate domains through a deceptive practice known as typosquatting. This new variant was seen to mimic a VMware domain, allowing the malware to fly under the radar. Over the past few months, there has been a worrying spike in these Bifrost Linux variants, with Palo Alto Networks detecting more than 100 instances of Bifrost samples. The threat posed by Bifrost extends beyond traditional computing platforms, with evidence suggesting that cyberattackers are aiming to expand Bifrost's attack surface to include ARM-based devices. A vulnerability impacting both Bifrost and Valhall GPU Kernel Drivers was addressed in November 2022, indicating ongoing efforts to exploit this malware's capabilities. As ARM-based devices become more common, it's expected that cybercriminals will modify their tactics to include ARM-based malware, potentially making their attacks stronger and able to reach more targets.

Description last updated: 2024-06-11T14:15:44.179Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Bifrose is a possible alias for Bifrost. Bifrose, a form of malicious software (malware), is designed to exploit and damage computer systems. It infiltrates the user's device without their knowledge via suspicious downloads, emails, or websites. Once inside the system, Bifrose can steal personal information, disrupt operations, and even ho	3

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Vulnerability

Rat

Malware

Linux

Google

Exploit

Trojan

Backdoor

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The vulnerability CVE-2024-4610 is associated with Bifrost.	Unspecified	2
The vulnerability CVE-2023-26083 is associated with Bifrost.	Unspecified	2
The vulnerability CVE-2021-29256 is associated with Bifrost.	Unspecified	2

Source Document References

Information about the Bifrost Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	4 months ago	CISA adds Arm Mali GPU Kernel Driver, PHP bugs to its Known Exploited Vulnerabilities catalog
InfoSecurity-magazine	4 months ago	NVIDIA and Arm Urge Customers to Patch Bugs
Securityaffairs	4 months ago	Arm zero-day in Mali GPU Drivers actively exploited in the wild
CERT-EU	7 months ago	New Vcurms Malware Targets Popular Browsers for Data Theft
DARKReading	7 months ago	Typosquatting Wave Shows No Signs of Abating
CERT-EU	7 months ago	Magnet Goblin Hackers Using Ivanti Flaws to Deploy Linux Malware
CERT-EU	7 months ago	Linux Variants of Bifrost Trojan Evade Detection via Typosquatting - Slashdot
DARKReading	7 months ago	Linux Variants of Bifrost Trojan Evade Detection via Typosquatting
CERT-EU	7 months ago	New Linux Malware Alert: 'Spinning YARN' Hits Docker, other Key Apps
CERT-EU	7 months ago	Ubuntu 6649-2: Firefox regressions \| LinuxSecurity.com
CERT-EU	7 months ago	SUSE: 2024:0769-1 critical: postgresql-jdbc \| LinuxSecurity.com
CERT-EU	7 months ago	SUSE: 2024:0763-1 moderate: python-cryptography \| LinuxSecurity.com
CERT-EU	7 months ago	SUSE: 2024:0764-1 important: wpa_supplicant \| LinuxSecurity.com
CERT-EU	7 months ago	CVE-2023-6143 - Alert Detail - Security Database
CERT-EU	7 months ago	Ubuntu 6669-1: Thunderbird vulnerabilities \| LinuxSecurity.com
Securityaffairs	7 months ago	Linux variant of BIFROSE RAT uses deceptive domain strategies
CERT-EU	8 months ago	New Bifrost RAT Variant Targets Linux Devices, Mimics VMware Domain
CERT-EU	8 months ago	The Art of Domain Deception: Bifrost's New Tactic to Deceive Users
CERT-EU	8 months ago	New BIFROSE Linux Malware Variant Using Deceptive VMware Domain for Evasion
CERT-EU	8 months ago	Bifrost RAT Now Equipped with a Linux Variant