Tor (The Onion Router) is a network of computers built to anonymize transmissions between two parties by concealing their whereabouts. It’s typically utilized to combat censorship and to defend the privacy of the users.
While looking into an attack towards an undisclosed device manufacturer, security researchers at Trend Micro identified a variant of the Bifrose malware which uses this network to obtain commands from its operator.
Bifrose, also referred to as Bifrost, is mainly renowned for its keylogging abilities, though the build found by the researchers combines other features, including uploading and downloading information, create and delete folders, executing command lines, renaming files, along with manipulating application windows through mouse and keyboard events.
Due to communication being ran via Tor anonymity network, experts claim that it’s possible for system administrators to discover an attack relying upon this Bifrose variant by looking for Tor activity within the network.
Activity on the network, like logins and email transmitting, at abnormal times might also suggest malicious activity.