A Quick Look at ELF Bifrose (Part 1)

Bifrose or Bifrost is a backdoor initially targeting Windows systems with a long history. First identified in the early 2000’s, it is believed a hacking group (likely BlackTech), purchased the source code or gained access to it around 2010, and enhanced the malware for use in its own campaigns.

BlackTech has long targeted both Windows and Unix-based systems with a variety of malicious software, tailoring different malware to each campaign.

It Started With A Tweet

On 24 November, Twitter user @strinsert1Na tweeted that a recent ELF Bifrose sample had been uploaded to VirusTotal.

Figure 1: Tweet courtesy of @strinsert1Na

While the reuse of command and control (C&C) infrastructure is nothing new for BlackTech, the operators have consistently added new features to the backdoor, while seemingly not changing the targets of their attacks.

“udevd-10.138.61.156”

As of the time of writing, the latest Bifrose sample is detected by about half of the vendors on VirusTotal, scoring a 36 out of 64.

Figure2: VirusTotal Results

Although we have a good idea the file in question is an ELF file, running the file command will provide us with confirmation of the file type as well as if the file has been stripped.

Figure 3: Output of file command

Sure enough, the output identifies the executable has been stripped; in other words, the symbols containing human-readable function names have been removed to slow down analysis.

If you’re still unsure the file is stripped, try running readelf -s filename. In this case, no output confirms the file’s symbols have been tampered with.

Running readelf with the “-p” argument on the .comment section will provide the compiler version and development environment.

Figure 4: Output of readelf -p .comment filename

From the above output, we can infer that this sample is likely targeting Red Hat distributions.

Probably one of the best analysis tools, the strings command can assist in identifying the functionality of the executable, as well as indicators (think Windows APIs for PEs, & syscalls for Unix). The output in Figure 5 provides a small snapshot of running strings.

Figure 5: Output of strings

In addition to the hard-coded IP addresses, standard strings indicating first contact with the C&C server, notably unix|, 5.0.0.0|, and what appear to be C&C commands (recvData and send data), are visible in the output.

Additionally, we can see signs of reconnaissance of the infected system, viewing the version and OS release, as well as the kernel version, and the timezone the target is located in.

Bifrose Capabilities

If you don’t have Sysmon for Linux setup in a VM, or aren’t quite ready to upload the sample to a public sandbox, one great option is to utilize strace to run the sample and redirect the output to a separate file.

strace output will include operations such as any network connections or attempts, system calls, file read and write operations, etc., all information that is extremely valuable to understand the program’s behavior.

The command strace -o strace_results.txt ./elf_file is all you need, along with Wireshark, TCPDump, or any other tool that can capture network traffic. Explaining the syscalls identified in the strace output would be an article or two, and I would like to keep this short. If your interested in strace, see the below links section.

Figure 6 and 7 show snippets of interesting system calls Bifrose makes when run.

Figure 6: strace output (1)
strace output (2)

To keep things simple, we’ll use Mandiant’s CAPA tool to get an idea of what Bifrose is up to.

Figure 8: CAPA output

In the next post, I’ll use Cutter to look at some of the capabilities identified in the above image and see if we can map out the execution of Bifrose, to help defenders get an idea of what indicators will assist in identifying a possible intrusion.

Links

https://man7.org/linux/man-pages/man2/syscalls.2.html

ELF Malware Analysis 101: Part 3 – Advanced Analysis

https://www.pentesteracademy.com/video?id=881

One response to “A Quick Look at ELF Bifrose (Part 1)”

%d bloggers like this: