Ankura CTIX FLASH Update - March 5, 2024

Ransomware/Malware Activity

Bifrose/Bifrost Linux Malware Variant Evades Detection via VMware Typosquat

Cybersecurity researchers have discovered a novel variant of the ELF (Executable and Link format) malware Bifrose (AKA Bifrost) which is using a typosquat domain mimicking VMware to evade detection. Bifrost is a Remote Access Trojan (RAT) that allows attackers to gather sensitive information on an infected host which is relayed back to the attacker via Command and Control (C2). Bifrost was originally a Windows malware first seen around 2004 and leveraged by the hacking group BlackTech. The Linux version of the malware has been observed since at least 2020. Its capabilities include launching remote shells, downloading/uploading files, and performing file operations. This new variant of Bifrost is noteworthy because it reportedly uses a typosquat of a VMware domain to make it harder for defenders to detect C2 activities. Researchers analyzed the malware and observed it reaching out to "download[.]vmfare[.]com", which was resolved by a Taiwan-based public DNS (Domain Name System) resolver. As of the writing of this article 11/92 security vendors tracked by VirusTotal have flagged the "download[.]vmfare[.]com" subdomain as malicious while zero (0) security vendors have flagged the "vmfare[.]com" domain as malicious. Researchers also discovered that the malicious IP address associated with the malware hosted an ARM (Advanced RISC Machine) version of Bifrost. The difference between the x86 and ARM versions is in the type of computer processor the malware is developed to run on. This indicates that attackers are seeking to expand their attack surface as more devices are built on ARM processors. CTIX analysts recommend that organizations block the abused VMware typosquat domain at their firewalls. CTIX analysts will continue to report on new and expanding malware strains and capabilities.

The Hacker News: BIFROSE Linux Malware Article
• Bleeping Computer: New Bifrost Malware Article

Threat Actor Activity

Russia Behind Leaked Conversation among German Military Officials

A conversation between German Bundeswehr officials and the German Air Force Lt. Gen. Ingo Gerhartz was intercepted and leaked on Telegram by Margarita Simonyan, the editor-in-chief of the RT, a Russian state-controlled broadcast. It's believed that this leak propagated from Russia as a way of creating further divisions in Germany, a plot that is supported by Simonyan claiming that the recording was provided to her by "comrades in uniform." The thirty-eight (38) minute conversation includes the discussion of the country's support for Ukraine, preparation and logistics for supplying Ukraine with Taurus Cruise Missiles, and the politics behind Chancellor Olaf Scholz who is attempting to block the move because of the missiles' striking range which risks pulling Germany directly into involvement with the war. The leak of the conversation would be a strategic move by Russia to not only amplify divisions in Berlin, but also to serve as an embarrassing revelation of Germany's military communications, where sensitive and potentially classified conversations were being transmitted using Webex rather than secured military lines. A spokesperson for the German ministry of defense confirmed the interception of the conversation but couldn't confirm whether the transcript was authentic or if changes were made to the recording that was posted on social media by Simonyan (who has a reputation for previously spreading falsehoods). Germany's defense minister, Boris Pistorius, also acknowledged the leak, attributing the "hybrid disinformation attack" as Russia's doing, and calling it part of Putin's information war. Russia's foreign ministry has since released a statement saying it "demanded an explanation from Germany," without totally clarifying what it was demanding an explanation for.

The Record: German Webex Article

Vulnerabilities

CISA Adds Microsoft Streaming Service to the KEV Catalog

The Cybersecurity and Infrastructure Security Agency (CISA) has mandated that all U.S. Federal Civilian Executive Branch (FCEB) agencies address a critical vulnerability in the Microsoft Streaming Service (MSKSSRV.SYS), which is currently being exploited in attacks. The flaw, tracked as CVE-2023-29360, stems from an untrusted pointer dereference, allowing local attackers to obtain SYSTEM privileges without needing user interaction from the victim, posing a significant threat due to its low complexity. Initially discovered by Thomas Imbert of Synactiv and reported through Trend Micro's Zero Day Initiative, Microsoft issued a fix in June 2023. Despite the absence of evidence linking the flaw to ransomware attacks, CISA has included it in its Known Exploited Vulnerabilities (KEV) catalog, emphasizing the urgent need for federal agencies to apply the patch by no later than March 21, 2024. This directive, underlining the risk to the federal enterprise, extends to private organizations globally to prevent future exploitations. Notably, Check Point revealed that the Raspberry Robin malware, known since September 2021 and associated with various cybercrime groups, has exploited this vulnerability since August 2023, demonstrating the exploit's accessibility and the rapid adoption by malicious actors. CTIX analysts recommend that users ensure they are running the latest Windows update to prevent the exploitation of this vulnerability.

Bleeping Computer: CVE-2023-29360 Article

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.