Backdoor implementation is enhancing in every aspect. Cyber groups are employing techniques to execute malicious activities in the host system along with establishing persistence. Recently, a researcher traced a high-profile malware expanding its attack landscape by infecting Linux. TrickBot Anchor malware is now not Windows exclusive. It has annexed its threats to the Linux system.
The Malware
TrickBot was developed in 2016, primarily as banking malware. Soon it adopted various malicious techniques getting famous as a flexible, universal, module-based crimeware solution. Its prime targets were corporations and the three pillars of TrickBot’s success were automation, decentralization, and integration.
The deft malware is capable of executing the following nefarious activities:
grabbing personal information, which was then sold on the underground and used privately,
a banker, stealing corporate data which monetized through account takeover and card fraud
a distributor, delivering ransomware,
a crypto miner.
spreading laterally through a network,
stealing saved credentials in browsers,
stealing cookies,
and now infecting Linux as well as Windows devices.
The threat actors behind the TrickBot malware launched a derivative called “Anchor”. With a plethora of functionalities, tools and methods, the project enabled hackers to compromise Windows system in a network and clean all the evidence of the attack.
The Anchor malware is known to impact high-value and high-profile targets with valuable financial information.
In recent research, TrickBot Anchor Malware is seen to leverage its framework against Linux distribution along with Windows systems. As most of the IoT gadgetry like routers, computers, VPN devices, and NAS devices are running on Linux, the campaign also poses serious threats to internet devices.
Modus Operandi
The threat actors penetrate in a system through remote administration tools which included Metaspoilt Meterpreter to deploy the malware. The type of malware to be dumped depends upon the target, but the most prevalent are ransomware and Point-Of-Sale oriented malicious scripts.
Through a newly developed Linux port of their new DNS command and control tool known as Anchor_DNS (which is now ported to a new Linux backdoor version called ‘Anchor_Linux‘), the campaign is now performing cross-platform attacks. This lightweight Linux malware is usually delivered as a zip file. Upon execution, the file impersonates cron job. Meanwhile, the backdoor obtains the public IP for the host and establish communication with the command-and-control server via DNS.
The malware is a simple backdoor to drop other malicious payloads. But it was seen that a Windows TrickBot executable was also attached with the backdoor which was used to infect other Windows system on the same network via SMB shares and IPC.
When successfully copied to a Windows device, Anchor_Linux will configure it as a Windows service using the Service Control Manager Remote protocol and the SMB SVCCTL named pipe. And after configured in the Windows host system, the malware connects with the command and control server to send and receive commands to execute.
The malware has three communication types, each are assigned a number:
The Linux version of the malware enables threat actors to infect non-Windows machines with backdoors to compromise Windows systems across the network.
In infected Linux devices, the malware creates a log file at /tmp/anchor.log. Even worse, the malware also infects the IoT devices running on the Linux distribution.
Once the attack is executed and the required credentials are exfiltrated, the malware cleans evidence of the attack. Along with this, it also deploys ransomware viruses such as Ryuk and Conti in order to encrypt devices on the network as the final stage of their attack.
TrickBot is also a malware-as-a-service, that means it rents access to other cybercriminals and APTs to exfiltrate data and perform other nefarious activities. Cybercriminals also use TrickBot’s service to steal credentials from financial institutions.
Mitigation
TrickBot is spread through malicious email attachments. So always check the credibility of the email sent by hovering over the link.
Practice network segmentation with encryption. So if any of the devices in the organisation network is compromised, network segmentation prevents lateral movement of the malware. You can then take the infected system off the network, isolate it and remove the trojan from it.
Install Next Gen Behavioural-based AV or additional AV capabilities not based on signatures but files and processes themselves. Modern malware like the TrickBot is polymorphic making the attack evasive.
Educate employees about the latest cyber threats and also teach them about the mitigation of these attacks.