Bifrose.FPB a new variant of Info-stealer Bifrose actively spreading in the wild

February 27, 2015

The Dell Sonicwall Threats Research team observed reports of a Bifrose bot family named GAV: Bifrose.FPB_5 actively spreading in the wild. This is the new Variant of Popular Bifrose which is a backdoor that connects to a remote IP address using TCP port 81 or a random port.

Bifrose has been around for many years now, highly available in the cybercriminal underground, and has been used for various cybercriminal activities.

Bifrose allows an attacker to access the computer and perform various actions contains:

  • Enumeration Current processes

  • Install Key logger

  • Install backdoor Command shell

  • Manipulate files or registry keys data

  • Retrieve installed program details

  • Bypass windows firewall

Infection Cycle:

Md5: a9e403e3e341e1763a6e2114a4dfb3ac

The Malware uses the following icon:

The Malware adds the following files to the system:

  • %Userprofile%Local SettingsTempdosya1.txt

  • %Userprofile%Local SettingsTempdosya2.txt

  • %Userprofile%Local SettingsTempDosya1.exe

  • %Userprofile%Local SettingsTempDosya2.exe

  • "%Userprofile%Local SettingsTempTrojan.exe"

  • C:Program FilesBifrostchrome.exe

The Malware adds the following keys to the Windows registry to ensure persistence upon reboot:

  • HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerShell FoldersAppData

    • %Userprofile%Local SettingsTempDosya1.exe

  • HKLMSOFTWAREMicrosoftActive SetupInstalled Components{C7668D2A-5DED-1927-2D46-C169B557CC3B}stubpath

    • C:Program FilesBifrostchrome.exe s

  • HKCUSoftwareMicrosoftWindowsCurrentVersionRun5cd8f17f4086744065eb0992a09e05a2

  • HKLMSoftwareMicrosoftWindowsCurrentVersionRun5cd8f17f4086744065eb0992a09e05a2

    • "%Userprofile%Local SettingsTempTrojan.exe"

Malware modifies registry to bypass windows firewall via following keys:

  • HKLMSystemCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList%Userprofile%Local SettingsTempTrojan.exe

    • %Userprofile%Local SettingsTempTrojan.exe:*:Enabled:Trojan.exe

Malware uses an injected Explorer.exe and IExplore.exe to send packets to its own C&C Server and after some time it terminates its own process.

After that malware tried to Enumeration all processes on the target machine, here is an example:

Command and Control (C&C) Traffic

Bifrose has the C&C communication over 81 & 1979. It sends requests to statically defined IP/Domains on a regular basis. The malware sends a TCP request to the C&C servers which contains information such as the infected machines computer name, operating system version and install date, here is an example:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Bifrose.FPB_5 ( Trojan )