Constructor:Win32/Bifrose.A is a detection for a tool used by an attacker to create variants of the trojan Backdoor:Win32/Bifrose. Win32/Bifrose is a trojan that connects to a remote IP address and allows remote access and control by an attacker.
The detection may include the construction kit, and the Win32/Bifrose client and server components. The client and server components may be packed or obfuscated with varying packers such as Themida, PECompact, NsPack and others. There are several versions or variants of Win32/Bifrose in-the-wild, and it functions as a remote access trojan or backdoor.
Installation
When run, Constructor:Win32/Bifrose.A creates a mutex name "BIFROST<VersionNum>" to avoid running multiple copies. It writes configuration data to the registry.
In subkey: HKCU\SOFTWARE\BIFROST<version>
Sets value: "discl"
To data: "<hexadecimal value>"
Sets value: "settings"
To data: "<hexadecimal value>"
In subkey: HKCU\SOFTWARE\BIFROST<version>\BUILD
Sets value: "dnslist"
To data: "<hexadecimal value>"
Sets value: "proxylist"
To data: "<hexadecimal value>"
Sets value: "proxyport"
To data: "<hexadecimal value>"
Sets value: "settings"
To data: "<hexadecimal value>"
Sets value: "TORfile"
To data: "<hexadecimal value>"
The constructor has a builder menu used to create the server component. The constructor enables an attacker to configure certain features of the server component such as the file name, process name, IP and port numbers, autorun feature, hiding capabilities and more.
Below are some examples of the constructor interface:
Additional Information
In the wild, the server component
Backdoor:Win32/Bifrose is commonly bundled with other programs. When run, the server will listen to a pre-configured port number, such as 81, and then connect a pre-defined IP addresses to receive instructions from a remote attacker that is using a Win32/Bifrose client component. A remote attacker uses the client component to connect to the infected machine that is running the server component, to execute varying actions via a created shell.
Analysis by Rex Plantado
