TrickBot Linux

7/31/20: Update added below with information from Intezer Labs and a link to the malware sample. This article was originally published on July 30th, 2020.

TrickBot’s Anchor malware platform has been ported to infect Linux devices and compromise further high-impact and high-value targets using covert channels.Linux warning: TrickBot malware is now infecting your systemsTop ArticlesConfirmed: Garmin received decryptor forWastedLocker ransomwareHavenly discloses data breach after 1.3M accounts leaked onlineConfirmed: Garmin received decryptor for WastedLocker ransomwareHow to fix Windows Update problems in Windows 10How to use Windows 10 to see what's using the most disk spaceThe Week in Ransomware - July 31st 2020 - Cooked CrabThree suspects charged for roles in Twitter hack, Bitcoin scamREAD MORESKIP ADTrickBot is a multi-purpose Windows malware platform that uses different modules to perform various malicious activities, including information stealing, password stealing, Windows domain infiltration, and malware delivery.

TrickBot is rented by threat actors who use it to infiltrate a network and harvest anything of value. It is then used to deploy ransomware such as Ryuk and Conti to encrypt the network’s devices as a final attack.

At the end of 2019, both SentinelOne and NTT reported a new TrickBot framework called Anchor that utilizes DNS to communicate with its command and control servers.

TrickBot's Anchor framework
TrickBot’s Anchor framework
Source: SentinelOne

Named Anchor_DNS, the malware is used on high-value, high-impact targets with valuable financial information.

In addition to the ransomware deployments via Anchor infections, the TrickBot Anchor actors also use it as a backdoor in APT-like campaigns that target point-of-sale and financial systems.

TrickBot’s Anchor backdoor malware is ported to Linux

Historically, Anchor has been a Windows malware. Recently a new sample has been discovered by Stage 2 Security researcher Waylon Grange that shows that Anchor_DNS has been ported to a new Linux backdoor version called ‘Anchor_Linux.’

Anchor_linux string found in x64 Linux executable
Anchor_Linux string found in x64 Linux executable
Source: Waylon Grange

Advanced Intel’s Vitali Kremez analyzed a sample of the new Anchor_Linux malware found by Intezer Labs.

Kremez told BleepingComputer that, when installed, Anchor_Linux will configure itself to run every minute using the following crontab entry:

*/1 * * * * root [filename]
Embedded Windows executable
Setting up persistence via CRON
Source: Vitali Kremez

In addition to acting as a backdoor that can drop malware on the Linux device and execute it, the malware also contains an embedded Windows TrickBot executable.

Embedded Windows executable
Embedded Windows executable
Source: Vitali Kremez

According to Intezer, this embedded binary is a new light-weight TrickBot malware “with code connections to older TrickBot tools” and is used to infect Windows machines on the same network.

To infect Windows devices, Anchor_Linux will copying the embedded TrickBot malware to Windows hosts on the same network using SMB and $IPC.

When successfully copied to a Windows device, Anchor_Linux will configure it as a Windows service using the Service Control Manager Remote protocol and the SMB SVCCTL named pipe.

Copying a file via SMB
Copying a file via SMB
Source: Waylon Grange

When the service is configured, the malware is started on the Windows host, connecting back to the command and control server for commands to execute.

This Linux version allows threat actors to target non-Windows environments with a backdoor that lets the attackers covertly pivot to Windows devices on the same network.

“The malware acts as covert backdoor persistence tool in UNIX environment used as a pivot for Windows exploitation as well as used as an unorthodox initial attack vector outside of email phishing. It allows the group to target and infect servers in UNIX environment (such as routers) and use it to pivot to corporate networks,” Kremez told BleepingComputer in a conversation about the malware.

Even worse, many IoT devices such as routers, VPN devices, and NAS devices run on Linux operating systems, which could potentially be a target for Anchor_Linux.

With this evolution of the TrickBot malware, it is increasingly important for Linux systems and IoT devices to have adequate protection and monitoring to detect threats like Anchor_Linux

For Linux users concerned, they may be infected, Anchor_Linux will create a log file at /tmp/anchor.log. If this file exists, you should perform a complete audit of the system for the presence of the Anchor_Linux malware.

Kremez told BleepingComputer that he believes that Anchor_Linux is still in development due to testing functionality in the Linux executable.

It is expected that TrickBot will continue its development to make it a full-featured addition to its Anchor framework.

Related Articles:

BazarBackdoor: TrickBot gang’s new stealthy network-hacking malware

TrickBot Gang Created a Custom Post-Exploitation Framework

Lazarus Hackers Use TrickBot to Infect High-End Victims

Sneaky Doki Linux malware infiltrates Docker cloud instances

Lazarus hackers deploy ransomware, steal data using MATA malware

[출처 : Bleeping Computer / 2020.07.31.]