Even as the TrickBot infrastructure shut shop, the operators of the malware are continuing to refine and retool their arsenal to have out attacks that culminated in the deployment of Conti ransomware.
IBM Security X-Power, which learned the revamped version of the legal gang’s AnchorDNS backdoor, dubbed the new, upgraded variant AnchorMail.
AnchorMail “takes advantage of an email-primarily based [command-and-control] server which it communicates with applying SMTP and IMAP protocols more than TLS,” IBM’s malware reverse engineer, Charlotte Hammond, reported. “With the exception of the overhauled C2 communication system, AnchorMail’s habits aligns extremely closely to that of its AnchorDNS predecessor.”
The cybercrime actor powering TrickBot, ITG23 aka Wizard Spider, is also known for its enhancement of the Anchor malware framework, a backdoor reserved for targeting selected significant worth victims since at minimum 2018 by using TrickBot and BazarBackdoor (aka BazarLoader), an more implant engineered by the exact group.
More than the decades, the group has also benefited from a symbiotic romantic relationship with the Conti ransomware cartel, with the latter leveraging TrickBot and BazarLoader payloads to achieve a foothold for deploying the file-encrypting malware.
“By the conclusion of 2021, Conti had primarily obtained TrickBot, with many elite builders and administrators joining the ransomware cosa nostra,” AdvIntel’s Yelisey Boguslavskiy famous in a report posted mid-February.
Fewer than 10 times later on, the TrickBot actors shut down their botnet infrastructure just after an unconventional two-month-lengthy hiatus in the malware distribution campaigns, marking a pivot that is possible to channel their efforts on stealthier malware households this sort of as BazarBackdoor.
In the midst of all these developments, the AnchorDNS backdoor has obtained a facelift of its individual. Whilst the predecessor communicates to its C2 servers using DNS tunneling – a technique that requires the abuse of the DNS protocol to sneak malicious site visitors earlier an organization’s defenses – the more recent C++-based mostly edition can make use of specifically crafted email messages.
“AnchorMail works by using the encrypted SMTPS protocol for sending information to the C2, and IMAPS is applied for getting it,” Hammond pointed out, adding the malware establishes persistence by producing a scheduled undertaking that is established to operate every 10 minutes, subsequent it up by making contact with the C2 server to fetch and execute any commands to be operate.
The commands involve the functionality to execute binaries, DLLs, and shellcode retrieved from the remote server, launch PowerShell commands, and delete itself from the contaminated techniques.
“The discovery of this new Anchor variant adds a new stealthy backdoor for use in the course of ransomware attacks and highlights the group’s determination to upgrading its malware,” Hammond stated. “[AnchorMail] has so far only been noticed concentrating on Windows programs. However, as AnchorDNS has been ported to Linux, it would seem probably that a Linux-variant of AnchorMail may possibly arise as well.”
Located this article attention-grabbing? Comply with THN on Fb, Twitter and LinkedIn to read through a lot more special content we post.
Some pieces of this post are sourced from: