An investigation into heightened cyber threat activities employing the Bifrost remote access trojan uncovered a novel Linux variant with new and improved evasion techniques, BleepingComputer reports.
Researchers with Palo Alto Networks' Unit 42 reported that the new variant notably connects to a command and control server that deceptively mimics a legitimate VMware domain, making it easier to overlook during inspections. The domain is also resolved through contact with a Taiwan-based public DNS resolver, increasing the difficulty of tracing and blocking, and analysis is additionally made more difficult by the malware's binary lacking any debugging information or symbol tables. Bitfrost extricates the hostname, IP address, and process IDs of the victim then secures the stolen data using RC4 encryption before transmitting it via a newly created TCP socket to the C2 server. Researchers also noted their discovery of an ARM version of Bitfrost, which signifies the attackers' possible intent to widen their scope of targets to include ARM-based architectures.