Home / malware Constructor:Win32/Bifrose.A
First posted on 02 March 2019.
Source: MicrosoftAliases :
There are no other names known for Constructor:Win32/Bifrose.A.
Explanation :
Constructor:Win32/Bifrose.A is a detection for a tool used by an attacker to create variants of the trojan Backdoor:Win32/Bifrose. Win32/Bifrose is a trojan that connects to a remote IP address and allows remote access and control by an attacker. The detection may include the construction kit, and the Win32/Bifrose client and server components. The client and server components may be packed or obfuscated with varying packers such as Themida, PECompact, NsPack and others. There are several versions or variants of Win32/Bifrose in-the-wild, and it functions as a remote access trojan or backdoor. InstallationWhen run, Constructor:Win32/Bifrose.A creates a mutex name "BIFROST
" to avoid running multiple copies. It writes configuration data to the registry. In subkey: HKCUSOFTWAREBIFROST Sets value: "discl"To data: " "Sets value: "settings"To data: " " In subkey: HKCUSOFTWAREBIFROST BUILDSets value: "dnslist"To data: " "Sets value: "proxylist"To data: " "Sets value: "proxyport"To data: " "Sets value: "settings"To data: " "Sets value: "TORfile"To data: " " The constructor has a builder menu used to create the server component. The constructor enables an attacker to configure certain features of the server component such as the file name, process name, IP and port numbers, autorun feature, hiding capabilities and more. Below are some examples of the constructor interface: Additional InformationIn the wild, the server component Backdoor:Win32/Bifrose is commonly bundled with other programs. When run, the server will listen to a pre-configured port number, such as 81, and then connect a pre-defined IP addresses to receive instructions from a remote attacker that is using a Win32/Bifrose client component. A remote attacker uses the client component to connect to the infected machine that is running the server component, to execute varying actions via a created shell. Analysis by Rex Plantado Last update 02 March 2019