欺骗性VMware域名：新型BIFROSE Linux恶意软件变种的用途

Cybersecurity researchers have discovered a new Linux variant of a remote access trojan (RAT) called BIFROSE (aka Bifrost) that uses a deceptive domain mimicking VMware.

网络安全研究人员发现了一个名为BIFROSE（又名Bifrost）的远程访问特洛伊木马的新Linux变种，该木马使用了一个模仿VMware的欺骗性域名。

"This latest version of Bifrost aims to bypass security measures and compromise targeted systems," Palo Alto Networks Unit 42 researchers Anmol Maurya and Siddharth Sharma said.

Palo Alto Networks Unit 42的研究人员Anmol Maurya和Siddharth Sharma表示：“这个最新版本的Bifrost旨在绕过安全措施并破坏目标系统。”

BIFROSE is one of the long-standing threats that has been active since 2004. It has been offered for sale in underground forums for up to $10,000 in the past, according to a report from Trend Micro in December 2015.

BIFROSE是一个自2004年以来一直活跃的长期威胁之一。根据2015年12月趋势微的一份报告，它曾在地下论坛中以高达10000美元的价格出售。

The malware has been put to use by a state-backed hacking group tracked as BlackTech (aka Circuit Panda, HUAPI, Manga Taurus, Palmerworm, PLEAD, Red Djinn, and Temp.Overboard), which has a history of striking organizations in Japan, Taiwan, and the U.S.

这种恶意软件曾被一个由BlackTech（又称Circuit Panda，HUAPI，Manga Taurus，Palmerworm，PLEAD，Red Djinn和Temp.Overboard）追踪的国家支持的黑客组织使用，该组织曾袭击日本、台湾和美国的组织。

It's suspected that the threat actor purchased the source code or gained access to it around 2010, and repurposed the malware for use in its own campaigns via custom backdoors like KIVARS and XBOW.

人们怀疑威胁行为者在2010年左右购买了源代码或获得了对其的访问权限，并通过自定义后门（如KIVARS和XBOW）将这种恶意软件重新用于自己的活动中。

Linux variants of BIFROSE (aka ELF_BIFROSE) have been observed since at least 2020 with capabilities to launch remote shells, download/upload files, and perform file operations.

自2020年以来就观察到了BIFROSE的Linux变种（又称ELF_BIFROSE），具有启动远程shell、下载/上传文件和执行文件操作的能力。

"Attackers typically distribute Bifrost through email attachments or malicious websites," the researchers said. "Once installed on a victim's computer, Bifrost allows the attacker to gather sensitive information, like the victim's hostname and IP address."

研究人员表示：“攻击者通常通过电子邮件附件或恶意网站传播Bifrost。”“一旦安装在受害者的计算机上，Bifrost允许攻击者收集敏感信息，如受害者的主机名和IP地址。”

What makes the latest variant noteworthy is that it reaches out to a command-and-control (C2) server with the name "download.vmfare[.]com" in an attempt to masquerade as VMware. The deceptive domain is resolved by contacting a Taiwan-based public DNS resolver with the IP address 168.95.1[.]1.

最新变种的显著之处在于它试图冒充VMware并访问一个名为“download.vmfare[.]com”的命令和控制（C2）服务器。欺骗性域名通过与位于台湾的公共DNS解析器联系来解析，其IP地址为168.95.1[.]1。

Unit 42 said it detected a spike in Bifrost activity since October 2023, identifying no less than 104 artifacts in its telemetry. It further discovered an Arm version of the malware, suggesting the threat actors are likely looking to expand their attack surface.

Unit 42表示自2023年10月以来检测到Bifrost活动的激增，在其遥测中识别出至少104个工件。他们进一步发现了该恶意软件的Arm版本，表明威胁行为者可能有意扩大其攻击范围。

"With new variants that employ deceptive domain strategies like typosquatting, a recent spike in Bifrost activity highlights the dangerous nature of this malware," the researchers said.

研究人员表示：“使用诸如typosquatting之类的欺骗性域名策略的新变种，Bifrost活动的最近激增突显了这种恶意软件的危险性。”

The development comes as McAfee Labs detailed a new GuLoader campaign that propagates the malware through malicious SVG file attachments in email messages. The malware has also been observed being distributed via VBS scripts as part of a multi-stage payload delivery.

此次发展发生在McAfee Labs详细介绍了一场通过电子邮件中的恶意SVG文件附件传播该恶意软件的新GuLoader活动之际。该恶意软件还被观察到通过VBS脚本作为多阶段载荷传递的一部分进行传播。

"This recent surge highlights its evolving tactics for broader reach and evasion," Trustwave SpiderLabs said in a post on X earlier this week.

Trustwave SpiderLabs在上周的X上发文称：“这一最近的激增突显了其不断发展的策略，以扩大影响范围和逃避检测。”

The Bifrost and GuLoader attacks coincide with the release of a new version of the Warzone RAT, which recently had two of its operators arrested and its infrastructure dismantled by the U.S. government.

Bifrost和GuLoader攻击与美国政府最近逮捕了两名操作人员并拆除了其基础设施的Warzone RAT的新版本发布同时发生。

原文始发于微信公众号（知机安全）：欺骗性VMware域名：新型BIFROSE Linux恶意软件变种的用途