Bifrost (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

elf.bifrost (Back to overview)

Bifrost

aka: elf.bifrose

Actor(s): BlackTech

Linux version of the bifrose malware that originally targeted Windows platform only. The backdoor has the ability to perform file management, start or end a process, or start a remote shell. The connection is encrypted using a modified RC4 algorithm.

References

2022-12-30 ⋅ Cyber And Ramen blog ⋅ CYBER&RAMEN
A Quick Look at ELF Bifrose (Part 1)
Bifrost

2022-11-24 ⋅ Twitter (@strinsert1Na) ⋅ MigawariIV
Tweet on recent Bifrose activity
Bifrost

2022-09-29 ⋅ NTT ⋅ NTT Security Holdings Corporation
Report on APT Attacks by BlackTech
Bifrost PLEAD TSCookie Flagpro Gh0stTimes SelfMake Loader SPIDERPIG RAT

2020-04-15 ⋅ ⋅ TEAMT5 ⋅ TeamT5
中國駭客 HUAPI 的惡意後門程式 BiFrost 分析
Bifrost

Yara Rules

[TLP:WHITE] elf_bifrost_w0 (20210331 | HUAPI UNIX BiFrost RAT)

rule elf_bifrost_w0 {

    meta:
        author = "TeamT5"
        date = "2020-04-15"
        version = "1"
        description = "HUAPI UNIX BiFrost RAT"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.bifrost"
        malpedia_rule_date = "20210331"
        malpedia_hash = ""
        malpedia_version = "20210331"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $hex1 = {25 ?? 00 00 00 85 C0 75 37 8B 45 F0 89 C1 03 4D 08 8B 45 F0 03 45 08 0F B6 10 8B 45 F8 01 C2 B8 FF FF FF FF 21 D0 88 01 8B 45 F0 89 C2 03 55 08 8B 45 F0 03 45 08 0F B6 00 32 45 FD 88 02}
        $hex2 = {8B 45 F0 03 45 08 0F B6 00 30 45 FD 8B 45 F0 89 C1 03 4D 08 8B 45 F8 89 C2 02 55 FD B8 FF FF FF FF 21 D0 88 01}
        
    condition:
        all of them
}

Download all Yara Rules

Bifrost Propose Change

References

Yara Rules

Bifrost