Recently, Waylon Grange, Stage 2 Security researcher has discovered a new sample that shows that Trickbot’s Anchor malware platform has been ported to infect Linux devices.
Trickbot is a multi-purpose Windows malware platform. It is used for various malicious activities such as stealing information, passwords, infiltrating Windows domain and delivering malware. Threat actors rented this malware and used it to infiltrate a network and harvest anything from it. It was then used to deploy ransomware such as Ryuk and Conti to encrypt the network’s devices.
At the end of 2019, SentinelOne and NTT reported a new Trickbot framework named Anchor that utilizes DNS to communication with its command and control servers. The Anchor_DNS is used on high-value, high-impact targets with valuable financial information. The malicious actors use it for deploying ransomware and like a backdoor in APT like campaigns.
Vital Kremez, analyst of Advanced Intel, analyzed the Anchor_Linux malware found by Interzer Labs and said that, when installed, this malware will configure itself to run every minute using the following crontab entry:
*/1 * * * * root [filename]
This malware also contains an embedded Windows TrickBot executable. According to Interzer, this embedded binary is a new light weight Trickbot malware having the code connected with the older Trickbot tools. It is used to infect Windows machine on the same network. Using SMB and $IPC, Anchor_linux will copy the embedded Trickbot malware to infect Windows device on the network. Afte this, Anchor_Linux will configure it as a Windows service using the Service Control Manager Remote protocol and the SMB SVCCTL named pipe.
When the service is configured, the malware will be started on the Windows host. It will connect the command control server from commands to execute. It can allow the attackers to target non-Windows environment, as well, with a backdoor. This backdoor is used by the attackers to convert the pivot to Windows devices on the same network.
As Kremez said, “The malware acts as covert backdoor persistence tool in UNIX environment used as a pivot for Windows exploitation as well as used as an unorthodox initial attack vector outside of email phishing. It allows the group to target and infect servers in UNIX environment (such as routers) and use it to pivot to corporate networks.”
Even IoT devices such as routers, VPN devices and NAS devices run on Linux OS could be the target of this latest Anchor_Linux malware. Thus, it is significantly important for you to provide adequate protection to your Linux system and IoT devices.
For Linux users, Anchor_Linux create a log file at /tmp/anchor.log. So, if you see this file exists on your system, you should perform a complete audit of your system for this malware presence.