An elusive variant of the Bifrose malware that leverages the Tor network to hide its communications has been caught targeting an unnamed device manufacturer.
Trend Micro threat response engineer Christopher Daniel So reported uncovering the malware in a blog post, warning that it has advanced data-stealing capabilities.
“Bifrose is mostly known for its keylogging routines, but it is capable of stealing far more information than just keystrokes. It can also send keystrokes and mouse events to Windows, which means that the attacker may be able to conduct operations as the affected user without having to compromise their accounts,” he explained.
“For example, the attacker can log into internal systems or even send messages to other users in the network. What makes this variant more elusive is its ability of Tor to communicate with its command-and-control [C&C] server.”
Tor is a custom network designed to let people surf the internet anonymously and host web services without having them index on the public open internet.
Trend Micro global vice president of security research Rik Ferguson told V3 the use of Tor is troubling as it makes tracking and taking down the infrastructure hosting and supporting the attacks close to impossible.
“Tor certainly frustrates attempts to map and impact the C&C infrastructure as well as attempts at attribution, Tor not only serves to encrypt traffic and maintain anonymity of those connecting it, it also serves to protect the anonymity of those hosting services on the network, in this case the C&C.”
He added that, despite making it difficult to track, it does make it easier for IT managers to check if they have been targeted.
“Although of course it does offer defenders a chance for early-detection, network inspection-technology like Deep Discovery would be able to alert to the use of Tor traffic on the network which could serve as a great early IoC.”
So said, despite making it difficult to track the malware attack to its origin, the use of Tor does make it easier for IT managers to see if their systems have been affected.
“Having a solution that is equipped to detect possibly malicious activity will help IT admins be able to determine the existence of an attack. For example, since this variant uses Tor in communicating with its C&C server, being able to detect Tor activity within a network will help identify potential attacks within the network,” he said.
Bifrose is a common malware that has been used by numerous cyber criminal groups for a variety of purposes. So explained: “One of the past incidents we saw use Bifrose was the ‘Here you have’ spam campaign from 2010.
“The attack targeted HR personnel of government offices such as the African Union and the NATO. The incident is quite comparable to what we know now as targeted attacks or APTs, which makes it unsurprising that it is now being used for such.”
Ferguson said he expects to see increasingly large numbers of criminal groups begin using Tor in the very near future.
“This is an emerging trend and one set to continue, criminals also go to great lengths to conceal their identities and locations and to make takedown attempts as complex as possible. The dark web is something which serves both those aims unfortunately,” he said.
“More criminal services are moving to adopt dark web communications to try to maintain anonymity and evade detection. Not only traditional cyber crime but unfortunately other online criminal behaviour, Europol has recently noted that online child exploitation is also increasingly making use of dark web resources.”
The use of the anonymising Tor network is an increasingly common tactic in the cyber crime community. Researchers from Kaspersky Labs reported finding evidence suggesting criminals plan to release a fresh wave of advanced cyber attack campaigns using the Tor network in March.