New Linux variant of Bifrost trojan mimics VMware domain for evasion

Recently, researchers at Palo Alto Networks discovered a new variant of the Linux Trojan Bifrost (also known as Bifrose) that uses a deceptive practice known as Typosquatting to mimic a trusted VMware domain. This allows the malware to remain undetected. Bifrost is a remote access Trojan virus active since 2004 that collects sensitive information such as hostname and IP address from an infected system.

More than 100 samples of Bifrost have been detected in the past few months, raising concerns among security experts and organisations. Moreover, there is evidence that cyber attackers plan to expand the Bifrost attack surface even further by using a malicious IP address associated with the Linux variant that hosts the ARM version of Bifrost.

Cybercriminals typically distribute Bifrost via email attachments or malicious websites. Once installed on the victim's computer, Bifrost accesses a management and control domain with a deceptive name that looks similar to a legitimate VMware domain. The malware collects user data to send back to this server, using RC4 encryption to encrypt the data.

Ultimately, the infection process allows the malware to bypass security measures, avoid detection and ultimately compromise target systems, researchers say.

Source: Palo Alto Networks