Threat Research

The Art of Domain Deception: Bifrost’s New Tactic to Deceive Users

Unit42

Palo Alto Networks Unit 42 uncovered a new Linux variant of the Bifrost RAT that uses a deceptive typosquatted domain, download.vmfare[.]com, to reach its command-and-control infrastructure and evade detection. The sample (x86, stripped) creates a TCP socket, collects host information (hostname, PID), encrypts data with a modified RC4 routine, resolves the C2 via public DNS 168.95.1[.]1, and an ARM build hosted at 45.91.82[.]127 indicates the attacker is expanding targets. #Bifrost #VMware

Keypoints

  • Unit 42 identified a new Linux Bifrost sample using a deceptive C2 domain download.vmfare[.]com that mimics VMware (typosquatting).
  • The analyzed x86 sample (SHA256 8e85cb6f…) was hosted on 45.91.82[.]127; an ARM build was also found on the same host.
  • The binary is stripped; in disassembly it creates a TCP socket (AF_INET, SOCK_STREAM, IPPROTO_TCP) via a setSocket routine before communicating with C2.
  • Bifrost collects reconnaissance data (hostname, PID, other user/system data) and prepares it for transmission to the attacker’s server.
  • Collected data is encrypted with RC4 (with observed small modifications such as bitwise AND operations) prior to exfiltration.
  • The malware resolves its typosquatted C2 domain using a public DNS resolver at 168.95.1[.]1 to obtain its connection target.
  • Palo Alto Networks Advanced WildFire observed a recent spike—over 100 Bifrost sample detections—indicating increased activity.

MITRE Techniques

  • None – The article does not explicitly reference MITRE ATT&CK technique IDs or names.

Indicators of Compromise

  • [SHA256] Malware sample hashes – 8e85cb6f2215999dc6823ea3982ff4376c2cbea53286e95ed00250a4a2fe4729 (x86), 2aeb70f72e87a1957e3bc478e1982fe608429cad4580737abe58f6d78a626c05 (ARM)
  • [Domain] Command-and-control domain – download.vmfare[.]com
  • [IP Address] Hosting and resolver – 45.91.82[.]127 (malware host), 168.95.1[.]1 (public DNS resolver used to resolve the C2)

Palo Alto Networks Unit 42 analyzed a stripped x86 Bifrost binary (SHA256 8e85cb6f…) hosted on 45.91.82[.]127 and also identified an ARM variant on the same host. In the disassembled code the malware invokes a setSocket routine that pushes values corresponding to AF_INET (2), SOCK_STREAM (1), and IPPROTO_TCP (6) and calls sys_socket to create a TCP socket; subsequent code performs data-collection routines that gather hostname, process ID, and other reconnaissance details.

Before sending data to the attacker, Bifrost applies RC4 encryption with minor variations (observed bitwise AND operations in the routine) to obfuscate payloads. The sample resolves its typosquatted C2 domain download.vmfare[.]com via a public DNS resolver at 168.95.1[.]1; logs and debugger output show an explicit DNS query for that domain, after which the malware attempts to connect to the resolved endpoint for exfiltration and command handling.

Operationally, the presence of both x86 and ARM builds indicates the actor is broadening the attack surface to reach non-x86 devices. Detection telemetry (Advanced WildFire) shows a recent spike—over 100 distinct Bifrost hashes—underscoring active distribution and the need to block the identified domain, IPs, and sample hashes while monitoring DNS queries to 168.95.1[.]1 for signs of resolution to the typosquatted C2.

Read more: https://unit42.paloaltonetworks.com/new-linux-variant-bifrost-malware/