TrickBot’s Anchor malware platform has been ported to infect Linux devices and compromise further high-impact and high-value targets using covert channels.
TrickBot is a multi-purpose Windows malware platform that uses different modules to perform various malicious activities, including information stealing, password stealing, Windows domain infiltration, and malware delivery.
TrickBot is rented by threat actors who use it to infiltrate a network and harvest anything of value. It is then used to deploy ransomware such as Ryuk and Conti to encrypt the network’s devices as a final attack.
At the end of 2019, both SentinelOne and NTT reported a new TrickBot framework called Anchor that utilizes DNS to communicate with its command and control servers.
Named Anchor_DNS, the malware is used on high-value, high-impact targets with valuable financial information.
In addition to the ransomware deployments via Anchor infections, the TrickBot Anchor actors also use it as a backdoor in APT-like campaigns that target point-of-sale and financial systems.
TrickBot’s Anchor backdoor malware is ported to Linux
Historically, Anchor has been a Windows malware. Recently a new sample has been discovered by Stage 2 Security researcher Waylon Grange that shows that Anchor_DNS has been ported to a new Linux backdoor version called ‘Anchor_Linux.’
Advanced Intel’s Vitali Kremez analyzed a sample of the new Anchor_Linux malware found by Intezer Labs.
Kremez told BleepingComputer that, when installed, Anchor_Linux will configure itself to run every minute using the crontab entry.