SYMBOLCOMMON_NAMEaka. SYNONYMS
elf.bifrost (Back to overview)

Bifrost

aka: elf.bifrose

Actor(s): BlackTech


Linux version of the bifrose malware that originally targeted Windows platform only. The backdoor has the ability to perform file management, start or end a process, or start a remote shell. The connection is encrypted using a modified RC4 algorithm.

References
2022-11-24Twitter (@strinsert1Na)MigawariIV
@online{migawariiv:20221124:recent:98d1c2e, author = {MigawariIV}, title = {{Tweet on recent Bifrose activity}}, date = {2022-11-24}, organization = {Twitter (@strinsert1Na)}, url = {https://twitter.com/strinsert1Na/status/1595553530579890176}, language = {English}, urldate = {2022-11-25} } Tweet on recent Bifrose activity
Bifrost
2022-09-29NTTNTT Security Holdings Corporation
@techreport{corporation:20220929:report:1615dab, author = {NTT Security Holdings Corporation}, title = {{Report on APT Attacks by BlackTech}}, date = {2022-09-29}, institution = {NTT}, url = {https://jp.security.ntt/resources/EN-BlackTech_2021.pdf}, language = {English}, urldate = {2022-09-30} } Report on APT Attacks by BlackTech
Bifrost PLEAD TSCookie Flagpro Gh0stTimes SelfMake Loader SPIDERPIG RAT
2020-04-15TEAMT5TeamT5
@online{teamt5:20200415:huapi:c45f871, author = {TeamT5}, title = {{中國駭客 HUAPI 的惡意後門程式 BiFrost 分析}}, date = {2020-04-15}, organization = {TEAMT5}, url = {https://teamt5.org/tw/posts/technical-analysis-on-backdoor-bifrost-of-the-Chinese-apt-group-huapi/}, language = {Chinese (Traditional)}, urldate = {2021-03-31} } 中國駭客 HUAPI 的惡意後門程式 BiFrost 分析
Bifrost
Yara Rules
[TLP:WHITE] elf_bifrost_w0 (20210331 | HUAPI UNIX BiFrost RAT)
rule elf_bifrost_w0 {

    meta:
        author = "TeamT5"
        date = "2020-04-15"
        version = "1"
        description = "HUAPI UNIX BiFrost RAT"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.bifrost"
        malpedia_rule_date = "20210331"
        malpedia_hash = ""
        malpedia_version = "20210331"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $hex1 = {25 ?? 00 00 00 85 C0 75 37 8B 45 F0 89 C1 03 4D 08 8B 45 F0 03 45 08 0F B6 10 8B 45 F8 01 C2 B8 FF FF FF FF 21 D0 88 01 8B 45 F0 89 C2 03 55 08 8B 45 F0 03 45 08 0F B6 00 32 45 FD 88 02}
        $hex2 = {8B 45 F0 03 45 08 0F B6 00 30 45 FD 8B 45 F0 89 C1 03 4D 08 8B 45 F8 89 C2 02 55 FD B8 FF FF FF FF 21 D0 88 01}
        
    condition:
        all of them
}
Download all Yara Rules