Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Cyber Crime

Bifrose malware leveraging on Tor caught in a targeted attack on a device manufacturer

Security experts at TrendMicro have detected a new variant of the BIFROSE malware leveraging on the Tor network in a targeted attack. Security experts at TrendMicro have been investigating a targeted attack against a device manufacturer when they discovered that BIFROSE malware, a well-known backdoor, has infected the systems of the company.  BIFROSE has been around for many […]

Bifrose malware leveraging on Tor caught in a targeted attack on a device manufacturer

Security experts at TrendMicro have detected a new variant of the BIFROSE malware leveraging on the Tor network in a targeted attack.

Security experts at TrendMicro have been investigating a targeted attack against a device manufacturer when they discovered that BIFROSE malware, a well-known backdoor, has infected the systems of the company.  BIFROSE has been around for many years and it is quite easy to acquire it the underground. BIFROSE has data stealing capability, but it is mostly popular for its keylogging routines, but the variant detected by the malware experts at TrendMicro (detected as BKDR_BIFROSE.ZTBG-A and has the hash 5e2844b20715d0806bfa28bd0ebcba6cbb637ea1) leverages the Tor network to hide the communications between the infected machines and the C&C server.

What makes this variant more elusive is its ability of Tor to communicate with its command-and-control [C&C] server.”” reports a blog post published by TrendMicro.

BIFROSE malware The BIFROSE malware was widely used by cyber criminals, in 2010 a threat actor targeted human resource (HR) personnel of different government offices, including the African Union and the NATO. The BIFROSE variant used in the targeted attack on the device manufacturer is able to perform the following operations, as explained in the blog post:

  • Download a file
  • Upload a file
  • Get file details (file size, last modified time)
  • Create a folder
  • Delete a folder
  • Open a file using ShellExecute
  • Execute a command line
  • Rename a file
  • Enumerate all windows and their process IDs
  • Close a window
  • Move a window to the foreground
  • Hide a window
  • Send keystrokes to a window
  • Send mouse events to a window
  • Terminate a process
  • Get display resolution
  • Upload contents of %Windows%\winieupdates\klog.dat
  • Capture screenshot or webcam image

As explained in the post to discover the presence of a BIFROSE variant in the network, the administrators could check the existence of the file klog.dat in systems which is a file associated with the keylogging routines.

“Another indicator would be seeing abnormal activities, such as those seen through network and mail logs. As we’ve mentioned in our past post, 7 Places to Check for Signs of a Targeted Attack in Your Network, network activities such as logins and emails during “abnormal” times need to be checked.” suggests Christopher Daniel So, Threat Response Engineer at TrendMicro.

The use of Tor network is becoming popular within the community of malware authors, also a recent variant of Zeus was able to hide its communications in the anonymizing network. The use of Tor makes troubling tracking and taking down the malware infrastructure, but IT administrator could carefully monitor their network to detect Tor activity, since several strain of malware uses Tor in communicating with their C&C servers.

Pierluigi Paganini

(Security Affairs – BIFROSE, malware)