Bifrost

Malware Profile Updated 2 months ago
Download STIX
Preview STIX
Bifrost is a remote access Trojan (RAT) that has been active since 2004, designed to gather sensitive information such as hostname and IP address from compromised systems. The malware has evolved over time, with notable ties to other Trojans like FakeM MSN, Elirks, and Poison Ivy, suggesting the same developer may have been involved in creating these malicious programs. Bifrost's history extends back to attacks as old as 2009, but it has continued to adapt and evolve, posing new threats to system security. In recent years, Bifrost has increasingly targeted Linux servers. A significant development was noted on March 2, 2024, when a new variant of Bifrost was found attacking Linux servers, evading detection by mimicking legitimate domains through a deceptive practice known as typosquatting. This new variant was seen to mimic a VMware domain, allowing the malware to fly under the radar. Over the past few months, there has been a worrying spike in these Bifrost Linux variants, with Palo Alto Networks detecting more than 100 instances of Bifrost samples. The threat posed by Bifrost extends beyond traditional computing platforms, with evidence suggesting that cyberattackers are aiming to expand Bifrost's attack surface to include ARM-based devices. A vulnerability impacting both Bifrost and Valhall GPU Kernel Drivers was addressed in November 2022, indicating ongoing efforts to exploit this malware's capabilities. As ARM-based devices become more common, it's expected that cybercriminals will modify their tactics to include ARM-based malware, potentially making their attacks stronger and able to reach more targets.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Bifrose
3
Bifrose, a form of malicious software (malware), is designed to exploit and damage computer systems. It infiltrates the user's device without their knowledge via suspicious downloads, emails, or websites. Once inside the system, Bifrose can steal personal information, disrupt operations, and even ho
Bif1234
1
None
Tr0gbot
1
None
Xbow
1
None
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Vulnerability
Linux
Rat
Malware
Google
Trojan
Backdoor
Exploit
Dropper
Domains
Android
Vmware
Spam
Fraud
Encryption
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
FakeMUnspecified
1
FakeM is a malware family first exposed in 2013 by Trend Micro, named for its command and control traffic mimicking Windows Messenger and Yahoo. The malware primarily operates as a Windows backdoor, used extensively by the cyber-espionage group, Scarlet Mimic. Since its exposure, FakeM has undergone
Poison IvyUnspecified
1
Poison Ivy is a type of malware, or malicious software, designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold d
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2024-4610Unspecified
2
None
CVE-2023-26083Unspecified
2
None
CVE-2021-29256Unspecified
2
None
CVE-2023-33200Unspecified
1
None
CVE-2023-34970Unspecified
1
None
CVE-2023-5427Unspecified
1
None
CVE-2023-6143Unspecified
1
None
Source Document References
Information about the Bifrost Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Securityaffairs
a month ago
CISA adds Arm Mali GPU Kernel Driver, PHP bugs to its Known Exploited Vulnerabilities catalog
InfoSecurity-magazine
2 months ago
NVIDIA and Arm Urge Customers to Patch Bugs
Securityaffairs
2 months ago
Arm zero-day in Mali GPU Drivers actively exploited in the wild
CERT-EU
4 months ago
New Vcurms Malware Targets Popular Browsers for Data Theft
DARKReading
5 months ago
Typosquatting Wave Shows No Signs of Abating
CERT-EU
5 months ago
Magnet Goblin Hackers Using Ivanti Flaws to Deploy Linux Malware
CERT-EU
5 months ago
Linux Variants of Bifrost Trojan Evade Detection via Typosquatting - Slashdot
DARKReading
5 months ago
Linux Variants of Bifrost Trojan Evade Detection via Typosquatting
CERT-EU
5 months ago
New Linux Malware Alert: 'Spinning YARN' Hits Docker, other Key Apps
CERT-EU
5 months ago
Ubuntu 6649-2: Firefox regressions | LinuxSecurity.com
CERT-EU
5 months ago
SUSE: 2024:0769-1 critical: postgresql-jdbc | LinuxSecurity.com
CERT-EU
5 months ago
SUSE: 2024:0763-1 moderate: python-cryptography | LinuxSecurity.com
CERT-EU
5 months ago
SUSE: 2024:0764-1 important: wpa_supplicant | LinuxSecurity.com
CERT-EU
5 months ago
CVE-2023-6143 - Alert Detail - Security Database
CERT-EU
5 months ago
Ubuntu 6669-1: Thunderbird vulnerabilities | LinuxSecurity.com
Securityaffairs
5 months ago
Linux variant of BIFROSE RAT uses deceptive domain strategies
CERT-EU
5 months ago
New Bifrost RAT Variant Targets Linux Devices, Mimics VMware Domain
CERT-EU
5 months ago
The Art of Domain Deception: Bifrost's New Tactic to Deceive Users
CERT-EU
5 months ago
New BIFROSE Linux Malware Variant Using Deceptive VMware Domain for Evasion
CERT-EU
5 months ago
Bifrost RAT Now Equipped with a Linux Variant