Backdoor:W32/Bifrose

Backdoor:W32/Bifrose is large family of Remote Administration Tools (RAT) that can be exploited by remote users to gain control over a system on which the program is installed.The backdoor has the following functionalities:

• File Manager
• Process Manager
• Keylogger
• Screen capture
• Cam capture
• Remote shell
• Registry editor
• Find passwords

The program also has the following server options:

• Can connect through Socks 4 proxies.
• Able to user TOR plugin, useful for hiding the network activity
• Persistent server option (if the file is deleted, it will rewrite itself again to the disc and registry)
• Able to inject itself to user defined processes
• Can include plugins pack for more functionality
• Offline keylogger

Installation

The server is usually installed in to following folders:

• %Program Files%
• %System%
• %Windir%

After the installation, Bifrose tries to locate a running web browser and inject code into it. The injected code is the actual backdoor. The backdoor starts to communicate with the server part using specially crafted HTTP queries. The server can instruct the backdoor to execute the following actions:

• Basic file operations (copy, delete, rename, find, execute)
• Download/upload files
• Process operations (list, kill)
• Registry operations (create/delete keys/values)
• Create screenshots of the desktop

Registry

During installation, the following registry key is created:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1D04E0BB-B63D-8FA6-6553-5E619BB865DB} stubpath = "C:\Program Files\Bifrost\server.exe"

Where {1D04E0BB-B63D-8FA6-6553-5E619BB865DB}is always random.and the usual mutex name used is:

• Bif123 (user defined)

The backdoor also creates the following registry key for storing information:

• [HKLM\Software\Wget]