{ "id": "95433603-4982-43d2-be87-d617d08ecc8a", "created_at": "2026-04-06T01:30:42.649397Z", "updated_at": "2026-04-10T13:11:22.142854Z", "deleted_at": null, "sha1_hash": "0932877395a2dfe8ef29853de15071e88306878d", "title": "A Quick Look at ELF Bifrose (Part 1)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1209536, "plain_text": "A Quick Look at ELF Bifrose (Part 1)\r\nPublished: 2022-12-30 · Archived: 2026-04-06 01:19:21 UTC\r\nBifrose or Bifrost is a backdoor initially targeting Windows systems with a long history. First identified in the\r\nearly 2000’s, it is believed a hacking group (likely BlackTech), purchased the source code or gained access to it\r\naround 2010, and enhanced the malware for use in its own campaigns.\r\nBlackTech has long targeted both Windows and Unix-based systems with a variety of malicious software, tailoring\r\ndifferent malware to each campaign.\r\nIt Started With A Tweet\r\nOn 24 November, Twitter user @strinsert1Na tweeted that a recent ELF Bifrose sample had been uploaded to\r\nVirusTotal.\r\nFigure 1: Tweet courtesy of @strinsert1Na\r\nWhile the reuse of command and control (C\u0026C) infrastructure is nothing new for BlackTech, the operators have\r\nconsistently added new features to the backdoor, while seemingly not changing the targets of their attacks.\r\n“udevd-10.138.61.156”\r\nhttps://cyberandramen.net/2022/12/30/a-quick-look-at-elf-bifrose/\r\nPage 1 of 5\n\nAs of the time of writing, the latest Bifrose sample is detected by about half of the vendors on VirusTotal, scoring\r\na 36 out of 64.\r\nFigure2: VirusTotal Results\r\nAlthough we have a good idea the file in question is an ELF file, running the file command will provide us with\r\nconfirmation of the file type as well as if the file has been stripped.\r\nFigure 3: Output of file command\r\nSure enough, the output identifies the executable has been stripped; in other words, the symbols containing\r\nhuman-readable function names have been removed to slow down analysis.\r\nIf you’re still unsure the file is stripped, try running readelf -s filename. In this case, no output confirms the file’s\r\nsymbols have been tampered with.\r\nRunning readelf with the “-p” argument on the .comment section will provide the compiler version and\r\ndevelopment environment.\r\nFigure 4: Output of readelf -p .comment filename\r\nFrom the above output, we can infer that this sample is likely targeting Red Hat distributions.\r\nhttps://cyberandramen.net/2022/12/30/a-quick-look-at-elf-bifrose/\r\nPage 2 of 5\n\nProbably one of the best analysis tools, the strings command can assist in identifying the functionality of the\r\nexecutable, as well as indicators (think Windows APIs for PEs, \u0026 syscalls for Unix). The output in Figure 5\r\nprovides a small snapshot of running strings.\r\nFigure 5: Output of strings\r\nIn addition to the hard-coded IP addresses, standard strings indicating first contact with the C\u0026C server, notably\r\nunix|, 5.0.0.0|, and what appear to be C\u0026C commands (recvData and send data), are visible in the output.\r\nAdditionally, we can see signs of reconnaissance of the infected system, viewing the version and OS release, as\r\nwell as the kernel version, and the timezone the target is located in.\r\nBifrose Capabilities\r\nhttps://cyberandramen.net/2022/12/30/a-quick-look-at-elf-bifrose/\r\nPage 3 of 5\n\nIf you don’t have Sysmon for Linux setup in a VM, or aren’t quite ready to upload the sample to a public sandbox,\r\none great option is to utilize strace to run the sample and redirect the output to a separate file.\r\nstrace output will include operations such as any network connections or attempts, system calls, file read and write\r\noperations, etc., all information that is extremely valuable to understand the program’s behavior.\r\nThe command strace -o strace_results.txt ./elf_file is all you need, along with Wireshark, TCPDump, or any other\r\ntool that can capture network traffic. Explaining the syscalls identified in the strace output would be an article or\r\ntwo, and I would like to keep this short. If your interested in strace, see the below links section.\r\nFigure 6 and 7 show snippets of interesting system calls Bifrose makes when run.\r\nFigure 6: strace output (1)\r\nstrace output (2)\r\nTo keep things simple, we’ll use Mandiant’s CAPA tool to get an idea of what Bifrose is up to.\r\nhttps://cyberandramen.net/2022/12/30/a-quick-look-at-elf-bifrose/\r\nPage 4 of 5\n\nFigure 8: CAPA output\r\nIn the next post, I’ll use Cutter to look at some of the capabilities identified in the above image and see if we can\r\nmap out the execution of Bifrose, to help defenders get an idea of what indicators will assist in identifying a\r\npossible intrusion.\r\nLinks\r\nhttps://man7.org/linux/man-pages/man2/syscalls.2.html\r\nhttps://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-part-3-advanced-analysis/\r\nhttps://www.pentesteracademy.com/video?id=881\r\nSource: https://cyberandramen.net/2022/12/30/a-quick-look-at-elf-bifrose/\r\nhttps://cyberandramen.net/2022/12/30/a-quick-look-at-elf-bifrose/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://cyberandramen.net/2022/12/30/a-quick-look-at-elf-bifrose/" ], "report_names": [ "a-quick-look-at-elf-bifrose" ], "threat_actors": [ { "id": "efa7c047-b61c-4598-96d5-e00d01dec96b", "created_at": "2022-10-25T16:07:23.404442Z", "updated_at": "2026-04-10T02:00:04.584239Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Canary Typhoon", "Circuit Panda", "Earth Hundun", "G0098", "Manga Taurus", "Operation PLEAD", "Operation Shrouded Crossbow", "Operation Waterbear", "Palmerworm", "Radio Panda", "Red Djinn", "T-APT-03", "TEMP.Overboard" ], "source_name": "ETDA:BlackTech", "tools": [ "BIFROST", "BUSYICE", "BendyBear", "Bluether", "CAPGELD", "DRIGO", "Deuterbear", "Flagpro", "GOODTIMES", "Gh0stTimes", "IconDown", "KIVARS", "LOLBAS", "LOLBins", "Linopid", "Living off the Land", "TSCookie", "Waterbear", "XBOW", "elf.bifrose" ], "source_id": "ETDA", "reports": null }, { "id": "2646f776-792a-4498-967b-ec0d3498fdf1", "created_at": "2022-10-25T15:50:23.475784Z", "updated_at": "2026-04-10T02:00:05.269591Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Palmerworm" ], "source_name": "MITRE:BlackTech", "tools": [ "Kivars", "PsExec", "TSCookie", "Flagpro", "Waterbear" ], "source_id": "MITRE", "reports": null }, { "id": "75024aad-424b-449a-b286-352fe9226bcb", "created_at": "2023-01-06T13:46:38.962724Z", "updated_at": "2026-04-10T02:00:03.164536Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "CIRCUIT PANDA", "Temp.Overboard", "Palmerworm", "G0098", "T-APT-03", "Manga Taurus", "Earth Hundun", "Mobwork", "HUAPI", "Red Djinn", "Canary Typhoon" ], "source_name": "MISPGALAXY:BlackTech", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3b93ef3c-2baf-429e-9ccc-fb80d0046c3b", "created_at": "2025-08-07T02:03:24.569066Z", "updated_at": "2026-04-10T02:00:03.730864Z", "deleted_at": null, "main_name": "BRONZE CANAL", "aliases": [ "BlackTech", "CTG-6177 ", "Circuit Panda ", "Earth Hundun", "Palmerworm ", "Red Djinn", "Shrouded Crossbow " ], "source_name": "Secureworks:BRONZE CANAL", "tools": [ "Bifrose", "DRIGO", "Deuterbear", "Flagpro", "Gh0stTimes", "KIVARS", "PLEAD", "Spiderpig", "Waterbear", "XBOW" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775439042, "ts_updated_at": 1775826682, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0932877395a2dfe8ef29853de15071e88306878d.pdf", "text": "https://archive.orkl.eu/0932877395a2dfe8ef29853de15071e88306878d.txt", "img": "https://archive.orkl.eu/0932877395a2dfe8ef29853de15071e88306878d.jpg" } }