Palo Alto Networks Unit 42 researchers discovered a new Linux variant of Bifrost (aka Bifrose) RAT that uses a deceptive domain (download.vmfare[.]com) that mimics the legitimate VMware domain.
The Bifrost RAT has been active since 2004, it allows its operators to gather sensitive information, including hostname and IP address. BIFROSE has data stealing capability, but it is mostly popular for its keylogging routines. The researchers also observed a spike in Bifrost’s Linux variants during the past few months.