SYMBOLCOMMON_NAMEaka. SYNONYMS
elf.bifrost (Back to overview)

Bifrost

aka: elf.bifrose

Actor(s): BlackTech


Linux version of the bifrose malware that originally targeted Windows platform only. The backdoor has the ability to perform file management, start or end a process, or start a remote shell. The connection is encrypted using a modified RC4 algorithm.

References
2020-04-15TEAMT5TeamT5
@online{teamt5:20200415:huapi:c45f871, author = {TeamT5}, title = {{中國駭客 HUAPI 的惡意後門程式 BiFrost 分析}}, date = {2020-04-15}, organization = {TEAMT5}, url = {https://teamt5.org/tw/posts/technical-analysis-on-backdoor-bifrost-of-the-Chinese-apt-group-huapi/}, language = {Chinese (Traditional)}, urldate = {2021-03-31} } 中國駭客 HUAPI 的惡意後門程式 BiFrost 分析
Bifrost
Yara Rules
[TLP:WHITE] elf_bifrost_w0 (20210331 | HUAPI UNIX BiFrost RAT)
rule elf_bifrost_w0 {

    meta:
        author = "TeamT5"
        date = "2020-04-15"
        version = "1"
        description = "HUAPI UNIX BiFrost RAT"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.bifrost"
        malpedia_rule_date = "20210331"
        malpedia_hash = ""
        malpedia_version = "20210331"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $hex1 = {25 ?? 00 00 00 85 C0 75 37 8B 45 F0 89 C1 03 4D 08 8B 45 F0 03 45 08 0F B6 10 8B 45 F8 01 C2 B8 FF FF FF FF 21 D0 88 01 8B 45 F0 89 C2 03 55 08 8B 45 F0 03 45 08 0F B6 00 32 45 FD 88 02}
        $hex2 = {8B 45 F0 03 45 08 0F B6 00 30 45 FD 8B 45 F0 89 C1 03 4D 08 8B 45 F8 89 C2 02 55 FD B8 FF FF FF FF 21 D0 88 01}
        
    condition:
        all of them
}
Download all Yara Rules