BIFROSE Now More Evasive Through Tor, Used for Targeted Attack

We recently investigated a targeted attack against a device manufacturer, and in our analysis, we found that the malware deployed into the target network is a variant of a well-known backdoor, BIFROSE. BIFROSE has been around for many years now, highly available in the cybercriminal underground, and has been used for various cybercriminal activities.

One of the past incidents we saw use BIFROSE was the “Here you have” spam campaign from 2010. The attack targeted human resource (HR) personnel of government offices such as the African Union and the NATO. The incident is quite comparable to what we know now as targeted attacks or APTs, which makes it unsurprising that it is now being used for such.

The BIFROSE variant (detected as BKDR_BIFROSE.ZTBG-A and has the hash 5e2844b20715d0806bfa28bd0ebcba6cbb637ea1) used against the device manufacturer is able to do the following information stealing routines:

Download a file
Upload a file
Get file details (file size, last modified time)
Create a folder
Delete a folder
Open a file using ShellExecute
Execute a command line
Rename a file
Enumerate all windows and their process IDs
Close a window
Move a window to the foreground
Hide a window
Send keystrokes to a window
Send mouse events to a window
Terminate a process
Get display resolution
Upload contents of %Windows%\winieupdates\klog.dat
Capture screenshot or webcam image

Figure 1. BIFROSE administrator panel

Figure 2. BIFROSE taking a screenshot of an affected system

BIFROSE is mostly known for its keylogging routines, but it is capable of stealing far more information than just keystrokes. It can also send keystrokes and mouse events to windows, which means that the attacker may be able to conduct operations as the affected user without having to compromise their accounts. For example, the attacker can log into internal systems or even send messages to other users in the network. What makes this variant more elusive is its ability of Tor to communicate with its C&C.

Can This Be Traced?

Apart from detecting the malware itself through a security solution, IT administrators may be able to check for the existence of a BIFROSE variant in the network. One of the easiest is checking for the existence of the file klog.dat in systems — a file associated with the keylogging routines.

Another indicator would be seeing abnormal activities, such as those seen through network and mail logs. As we’ve mentioned in our past post, 7 Places to Check for Signs of a Targeted Attack in Your Network, network activities such as logins and emails during “abnormal” times need to be checked.

Lastly, having a solution that is equipped to detect possibly malicious activity will help IT admins be able to determine the existence of an attack. For example, since this variant uses Tor in communicating with its C&C server, being able to detect Tor activity within a network will help identify potential attacks within the network, among others.

With additional insights by Ronnie Giagone

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

BIFROSE Now More Evasive Through Tor, Used for Targeted Attack