Recent investigations indicate that despite concerted efforts to disrupt the TrickBot malware operations, its creators are adapting and evolving their tactics. A report from cybersecurity firm Netscout reveals that the authors of TrickBot have ported elements of their malicious code to Linux, broadening their potential target base.
Initially identified in 2016, TrickBot is recognized as a financial Trojan that traditionally operated on Windows systems. It has employed various modules to execute a range of nefarious activities, including the theft of credentials and the deployment of ransomware. However, recent actions by US Cyber Command and Microsoft led to the dismantling of a substantial portion—approximately 94%—of TrickBot’s command-and-control infrastructure.
Amidst these disruptions, the operators are not remaining passive. Netscout’s findings suggest that they are not only attempting to restore their previous operations but also trying to leverage new avenues such as Linux to enrich their criminal portfolio.
A notable development is the emergence of a backdoor framework known as Anchor, discovered at the close of 2019. This framework utilizes the DNS protocol for covert communication with command-and-control servers. It rapidly enables adversaries to target more significant victims with enhanced sophistication, as reported by SentinelOne.
In April, IBM X-Force observed renewed cyberattack patterns indicating a collaboration between TrickBot and the FIN6 hacking group, utilizing the Anchor framework to exploit corporate networks for financial gain. An emerging variant, named “Anchor_DNS,” employs DNS tunneling to facilitate its communications, allowing for data transmission in a manner that is more challenging to detect.
In a further extension to their operations, a new Linux variant named “Anchor_Linux” has been identified by Stage 2 Security researcher Waylon Grange. This version installs itself as a cron job, identifies the public IP address of the infected host, and initiates communication with its command-and-control server via DNS queries.
Netscout’s research highlights the intricate communication process between the compromised systems and the command-and-control servers. Upon initiation, the infected client transmits commands and system information, to which the server responds with instructions. Each step in this relay reflects a sophisticated understanding of coding and communication obfuscation.
The capabilities of the Anchor framework illustrate not only the TrickBot group’s technical prowess but also their ongoing adaptability in the face of increased scrutiny and counteraction. The shift to Linux platforms represents a significant tactical evolution, allowing them to potentially breach networks that were previously considered secure against Windows-centric threats.
For businesses focused on cybersecurity, this multifaceted threat emphasizes the need for robust defenses that account for cross-platform vulnerabilities and advanced malware tactics, such as those described in the MITRE ATT&CK framework. Techniques linked to initial access, persistence, and privilege escalation are critical in understanding the methods employed by these advanced adversaries.
