SYMBOLCOMMON_NAMEaka. SYNONYMS
elf.bifrost (Back to overview)

Bifrost

aka: elf.bifrose

Actor(s): BlackTech


Linux version of the bifrose malware that originally targeted Windows platform only. The backdoor has the ability to perform file management, start or end a process, or start a remote shell. The connection is encrypted using a modified RC4 algorithm.

References
2022-12-30Cyber And Ramen blogCYBER&RAMEN
A Quick Look at ELF Bifrose (Part 1)
Bifrost
2022-11-24Twitter (@strinsert1Na)MigawariIV
Tweet on recent Bifrose activity
Bifrost
2022-09-29NTTNTT Security Holdings Corporation
Report on APT Attacks by BlackTech
Bifrost PLEAD TSCookie Flagpro Gh0stTimes SelfMake Loader SPIDERPIG RAT
2020-04-15TEAMT5TeamT5
中國駭客 HUAPI 的惡意後門程式 BiFrost 分析
Bifrost
Yara Rules
[TLP:WHITE] elf_bifrost_w0 (20210331 | HUAPI UNIX BiFrost RAT)
rule elf_bifrost_w0 {

    meta:
        author = "TeamT5"
        date = "2020-04-15"
        version = "1"
        description = "HUAPI UNIX BiFrost RAT"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.bifrost"
        malpedia_rule_date = "20210331"
        malpedia_hash = ""
        malpedia_version = "20210331"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $hex1 = {25 ?? 00 00 00 85 C0 75 37 8B 45 F0 89 C1 03 4D 08 8B 45 F0 03 45 08 0F B6 10 8B 45 F8 01 C2 B8 FF FF FF FF 21 D0 88 01 8B 45 F0 89 C2 03 55 08 8B 45 F0 03 45 08 0F B6 00 32 45 FD 88 02}
        $hex2 = {8B 45 F0 03 45 08 0F B6 00 30 45 FD 8B 45 F0 89 C1 03 4D 08 8B 45 F8 89 C2 02 55 FD B8 FF FF FF FF 21 D0 88 01}
        
    condition:
        all of them
}
Download all Yara Rules