Linux Variants of Bifrost Trojan Evade Detection Via Typosquatting
upstart writes:
A 20-year-old Trojan resurfaced recently with new variants that target Linux and impersonate a trusted hosted domain to evade detection.
Researchers from Palo Alto Networks spotted a new Linux variant of the Bifrost (aka Bifrose) malware that uses a deceptive practice known as typosquatting to mimic a legitimate VMware domain, which allows the malware to fly under the radar. Bifrost is a remote access Trojan (RAT) that's been active since 2004 and gathers sensitive information, such as hostname and IP address, from a compromised system.
There has been a worrying spike in Bifrost Linux variants during the past few months: Palo Alto Networks has detected more than 100 instances of Bifrost samples, which "raises concerns among security experts and organizations," researchers Anmol Murya and Siddharth Sharma wrote in the company's newly published findings.
Moreover, there is evidence that cyberattackers aim to expand Bifrost's attack surface even further, using a malicious IP address associated with a Linux variant hosting an ARM version of Bifrost as well, they said.
"By providing an ARM version of the malware, attackers can expand their grasp, compromising devices that may not be compatible with x86-based malware," the researchers explained. "As ARM-based devices become more common, cybercriminals will likely change their tactics to include ARM-based malware, making their attacks stronger and able to reach more targets."
[...] Though it may be an old-timer when it comes to malware, the Bifrost RAT remains a significant and evolving threat to individuals and organizations alike, particularly with new variants adopting typosquatting to evade detection, the researchers said.
[...] In their post, the researchers shared a list of indicators of compromise, including malware samples and domain and IP addresses associated with the latest Bifrost Linux variants. The researchers advise that enterprises use next-generation firewall products and cloud-specific security services - including URL filtering, malware-prevention applications, and visibility and analytics - to secure cloud environments.
Ultimately, the process of infection allows the malware to bypass security measures and evade detection, and ultimately compromise targeted systems, the researchers said.
Read more of this story at SoylentNews.