TrickBot, a Windows malware that acts a backdoor for several other payloads, is said to be having a new form now. New reports tell that TrickBot’s Anchor malware is found to be having a Linux version, which also carries the Windows executable to infect both Linux and Windows systems on the same network.
TrickBot Anchor Linux Malware Infects More Windows Systems
TrickBot has evolved as one of the reliable backdoor malwares recently. Security researchers like SentinelOne and NTT have reported the TrickBot’s Anchor uses DNS framework to communicate with the hacker’s C2 and grew as a multidisciplinary malware for stealing data, passwords, windows domain infiltration and especially, acting as a backdoor!
This special feature of tuning as a backdoor has attracted other threat actors to buy this TrickBot Anchor to deliver their payloads through its backdoor. This includes ransomware authors like Ryuk and Conti groups. And now, a new report from Waylon Grange from Stage 2 Security says the TrickBot’s Anchor malware has a Linux version!
This new porting is also directed at Windows machines, but through infecting Linux systems first. Named as Anchor_Linux, this new malware will configure itself using the Service Control Manager Remote Protocol and SMB SVCCTL, to unlock the Windows TrickBot in it. After configuring the Windows executable, it then connects to hacker’s C2 for commands.
Vitali Kremez from Advanced Intel has also analysed the samples of this malware and said, “The malware acts as a covert backdoor persistence tool in UNIX environment used as a pivot for Windows exploitation as well as used as an unorthodox initial attack vector outside of email phishing. It allows the group to target and infect servers in a UNIX environment (such as routers) and use it to pivot to corporate networks.”
Thus, all the IoT devices like routers, computers, NAS and VPN devices running Linux versions could be affected by this new TrickBot’s Anchor_Linux malware. In case you’re using a Linux system and want to check if you’re infected, find a log file as /tmp/anchor.log. This will be created by the Anchor_Linux, and if exists, audit your system for potential backdoors.