TrickBot’s new Linux malware covertly infects Windows devices

Posted by & filed under Security News, Ειδοποιήσεις.

TrickBot’s Anchor malware platform has been ported to infect Linux devices and compromise further high-impact and high-value targets using covert channels.

TrickBot is a multi-purpose Windows malware platform that uses different modules to perform various malicious activities, including information stealing, password stealing, Windows domain infiltration, and malware delivery.

TrickBot is rented by threat actors who use it to infiltrate a network and harvest anything of value. It is then used to deploy ransomware such as Ryuk and Conti to encrypt the network’s devices as a final attack.

At the end of 2019, both SentinelOne and NTT reported a new TrickBot framework called Anchor that utilizes DNS to communicate with its command and control servers.

Named Anchor_DNS, the malware is used on high-value, high-impact targets with valuable financial information.

In addition to the ransomware deployments via Anchor infections, the TrickBot Anchor actors also use it as a backdoor in APT-like campaigns that target point-of-sale and financial systems.

TrickBot’s Anchor backdoor malware is ported to Linux

Historically, Anchor has been a Windows malware. Recently a new sample has been discovered by Stage 2 Security researcher Waylon Grange that shows that Anchor_DNS has been ported to a new Linux backdoor version called ‘Anchor_Linux.’

In addition to acting as a backdoor that can drop malware on the Linux device and execute it, the malware also contains an embedded Windows TrickBot executable.

Anchor_Linux can be used by the threat actors to copy the embedded TrickBot to Windows hosts on the same network using SMB and $IPC.

When successfully copied to a Windows device, Anchor_Linux will configure it as a Windows service using the Service Control Manager Remote protocol and the SMB SVCCTL named pipe.

When the service is configured, the malware is started on the Windows host, connecting back to the command and control server for commands to execute.

This Linux version allows threat actors to target non-Windows environments with a backdoor that lets the attackers covertly pivot to Windows devices on the same network.

“The malware acts as covert backdoor persistence tool in UNIX environment used as a pivot for Windows exploitation as well as used as an unorthodox initial attack vector outside of email phishing. It allows the group to target and infect servers in UNIX environment (such as routers) and use it to pivot to corporate networks,” Kremez told BleepingComputer in a conversation about the malware.

Even worse, many IoT devices such as routers, VPN devices, and NAS devices run on Linux operating systems, which could potentially be a target for Anchor_Linux.

With this evolution of the TrickBot malware, it is increasingly important for Linux systems and IoT devices to have adequate protection and monitoring to detect threats like Anchor_Linux

For Linux users concerned, they may be infected, Anchor_Linux will create a log file at /tmp/anchor.log. If this file exists, you should perform a complete audit of the system for the presence of the Anchor_Linux malware.

Kremez told BleepingComputer that he believes that Anchor_Linux is still in development due to testing functionality in the Linux executable.

It is expected that TrickBot will continue its development to make it a full-featured addition to its Anchor framework.


The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.  Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.