New Bifrost Malware for Linux: A Deceptive Tactic


New Bifrost Malware for Linux: A Deceptive Tactic

A new variant of the infamous Bifrost remote access trojan (RAT), specifically tailored for Linux systems, has been discovered. This sophisticated malware employs a series of innovative evasion techniques, including the utilization of a deceptive domain cleverly disguised to resemble a legitimate VMware entity.

The Deceptive Tactics used in Bifrost Malware

The method of this latest Bifrost variant is quite insidious. By leveraging a domain that closely resembles a legitimate VMware domain, attackers can evade detection and gain unauthorized access to target systems. This technique, known as typosquatting, is a growing concern in the cybersecurity landscape.

The malware establishes communication with a command and control (C2) server through the “download.vmfare[.]com” domain. This cunning ruse is reminiscent of legitimate VMware domains, thus slipping under the radar of routine inspections. Moreover, the deceptive domain’s resolution involves a Taiwan-based public DNS resolver, further complicating tracing and blocking efforts.

Enhanced Tactics of the New Bifrost Variant

Upon scrutinizing the latest Bifrost samples, researchers have uncovered a series of noteworthy updates designed to bolster the malware’s operational efficiency and evade detection. From a technical standpoint, the malware’s binary is compiled in a stripped form devoid of debugging information or symbol tables, rendering analysis more challenging.

Bifrost covertly harvests crucial system information including the victim’s hostname, IP address, and process IDs. It encrypts the data with RC4 encryption before transmitting it to the C2 via a newly established TCP socket.

The Threat Landscape

Having plagued digital landscapes for two decades, Bifrost stands as one of the enduring threats in the realm of RATs. Typically disseminated through malicious email attachments or compromised websites, Bifrost infiltrates systems to pilfer sensitive data.

Researchers from Palo Alto Networks’ Unit 42 have noticed a surge in Bifrost’s activities, prompting an in-depth investigation that led to the revelation of this new, more elusive variant.


While Bifrost may not be hailed as a pinnacle of sophistication or ubiquity in the malware landscape, the revelations by the Unit 42 team underscore the imperative for heightened vigilance. The developers behind this RAT evidently seek to refine it into a more covert threat capable of targeting a diverse array of system architectures, necessitating proactive defense measures.

You think you have a story worth everyone’s time? SUBMIT A STORY and we will publish it.

Share this content:

Post Comment