Bifrose.FPB a new variant of Info-stealer Bifrose actively spreading in the wild

The Dell Sonicwall Threats Research team observed reports of a Bifrose bot family named GAV: Bifrose.FPB_5 actively spreading in the wild. This is the new Variant of Popular Bifrose which is a backdoor that connects to a remote IP address using TCP port 81 or a random port.

Bifrose has been around for many years now, highly available in the cybercriminal underground, and has been used for various cybercriminal activities.

Bifrose allows an attacker to access the computer and perform various actions contains:

• Enumeration Current processes

• Install Key logger

• Install backdoor Command shell

• Manipulate files or registry keys data

• Retrieve installed program details

• Bypass windows firewall

Infection Cycle:

Md5: a9e403e3e341e1763a6e2114a4dfb3ac

The Malware uses the following icon:

The Malware adds the following files to the system:

• %Userprofile%Local SettingsTempdosya1.txt

• %Userprofile%Local SettingsTempdosya2.txt

• %Userprofile%Local SettingsTempDosya1.exe

• %Userprofile%Local SettingsTempDosya2.exe

• “%Userprofile%Local SettingsTempTrojan.exe”

• C:Program FilesBifrostchrome.exe

The Malware adds the following keys to the Windows registry to ensure persistence upon reboot:

• HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerShell FoldersAppData

  • %Userprofile%Local SettingsTempDosya1.exe

• HKLMSOFTWAREMicrosoftActive SetupInstalled Components{C7668D2A-5DED-1927-2D46-C169B557CC3B}stubpath

  • C:Program FilesBifrostchrome.exe s

• HKCUSoftwareMicrosoftWindowsCurrentVersionRun5cd8f17f4086744065eb0992a09e05a2

• HKLMSoftwareMicrosoftWindowsCurrentVersionRun5cd8f17f4086744065eb0992a09e05a2

  • “%Userprofile%Local SettingsTempTrojan.exe”

Malware modifies registry to bypass windows firewall via following keys:

• HKLMSystemCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList%Userprofile%Local SettingsTempTrojan.exe

  • %Userprofile%Local SettingsTempTrojan.exe:*:Enabled:Trojan.exe

Malware uses an injected Explorer.exe and IExplore.exe to send packets to its own C&C Server and after some time it terminates its own process.

After that malware tried to Enumeration all processes on the target machine, here is an example:

Command and Control (C&C) Traffic

Bifrose has the C&C communication over 81 & 1979. It sends requests to statically defined IP/Domains on a regular basis. The malware sends a TCP request to the C&C servers which contains information such as the infected machines computer name, operating system version and install date, here is an example:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

• GAV: Bifrose.FPB_5 ( Trojan )

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.