The Shrouded Crossbow group has been active since 2010, typically targeting companies that are close to governments and key industries in Asia. Common targets include government contractors, privatized government agencies, companies involved with consumer electronics, the computer industry, the healthcare sector, and financial industries. The malicious team is predicted to be about ten people, equipped with significant resources. Rather than develop its own attack kits and malware, the group uses its significant resources to purchase source code and tools from other authors. Afterward, members of the group improve the code to suit their specifications.

The group employs the BIFROSE/ Bifrost, KIVARS, and XBOW backdoors in their attacks. As an indicator of resources available to the group, Trend Micro notes that BIFROSE backdoor has sold for more than $10,000 on underground sites. BIFROSE backdoor has been around for about a decade and has been used in spam campaigns against NATO and United States government agencies. BIFROSE is a remote access Trojan (RAT) which establishes a persistent presence and then deploys tools to capture keystrokes, screenshots, and confidential information. Trend Micro actually believes that the group purchased the source code of BIFROSE, and then developed a new installer, created unique loader-backdoor pairs, and simplified the backdoor capabilities, thereby resulting in KIVARS. KIVARS is also available as a 64-bit variant. The group developed XBOW on their own, based on BIFROSE back door and KIVARS back door. The malware is delivered via spear phishing emails containing malicious .RAR files or .EXE. The email topics are generally breaking news, resumes, government data, or meeting requests. The malware corresponds to a C&C network of about 100 servers registered to free dynamic DNS or discrete IP addresses. The C&C servers appear to be organized according to the actor’s use. IP address changes and renewal of domains happen according to an organized schedule. Trend Micro suspects that in addition to the 10-member development team, the malware group may employ separate teams to design and deploy the malicious emails and to maintain the C&C infrastructure.

Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Consent to display content from Youtube
Consent to display content from Vimeo
Google Maps
Consent to display content from Google