TrickBot Linux Variants Active in the Wild Despite Recent Takedown Follow us        Subscribe to Newsletter  Home  Newsletter  Offers Home Data Breaches Cyber Attacks Vulnerabilities Malware Offers Contact    Resources THN Store Free eBooks Freebies RSS Feeds About Site About Us Our Team Jobs Advertise With Us Contact/Tip Us  Reach out to get featured—contact us to send your exclusive story idea, research, hacks, or ask us a question or leave a comment/feedback! Follow Us On Social Media       RSS Feeds  Email Alerts  Telegram Channel TrickBot Linux Variants Active in the Wild Despite Recent Takedown October 28, 2020Ravie Lakshmanan Efforts to disrupt TrickBot may have shut down most of its critical infrastructure, but the operators behind the notorious malware aren't sitting idle. According to new findings shared by cybersecurity firm Netscout, TrickBot's authors have moved portions of their code to Linux in an attempt to widen the scope of victims that could be targeted. TrickBot, a financial Trojan first detected in 2016, has been traditionally a Windows-based crimeware solution, employing different modules to perform a wide range of malicious activities on target networks, including credential theft and perpetrate ransomware attacks. But over the past few weeks, twin efforts led by the US Cyber Command and Microsoft have helped to eliminate 94% of TrickBot's command-and-control (C2) servers that were in use and the new infrastructure the criminals operating TrickBot attempted to bring online to replace the previously disabled servers. Despite the steps taken to impede TrickBot, Microsoft cautioned that the threat actors behind the botnet would likely make efforts to revive their operations. TrickBot's Anchor Module At the end of 2019, a new TrickBot backdoor framework called Anchor was discovered using the DNS protocol to communicate with C2 servers stealthily. The module "allows the actors — potential TrickBot customers — to leverage this framework against higher-profile victims, said SentinelOne, adding the "ability to seamlessly integrate the APT into a monetization business model is evidence of a quantum shift." Indeed, IBM X-Force spotted new cyberattacks earlier this April revealing collaboration between FIN6 and TrickBot groups to deploy the Anchor framework against organizations for financial profit. The variant, dubbed "Anchor_DNS," enables the infected client to utilize DNS tunneling to establish communications with the C2 server, which in turn transmits data with resolved IPs as a response, NTT researchers said in a 2019 report. But a new sample uncovered by Stage 2 Security researcher Waylon Grange in July found that Anchor_DNS has been ported to a new Linux backdoor version called "Anchor_Linux." "Often delivered as part of a zip, this malware is a lightweight Linux backdoor," Grange said. "Upon execution it installs itself as a cron job, determines the public IP [address] for the host and then begins to beacon via DNS queries to its C2 server." How the C2 Communication Works Using Anchor Netscout's latest research decodes this flow of communication between the bot and the C2 server. During the initial setup phase, the client sends "c2_command 0" to the server along with information about the compromised system and the bot ID, which then responds with the message "signal /1/" back to the bot. As an acknowledgment, the bot sends the same message back to the C2, following which the server remotely issues the command to be executed on the client. In the last step, the bot sends back the result of the execution to the C2 server. "Every part of communication made to the C2 follows a sequence of 3 different DNS queries," Netscout security researcher Suweera De Souza said. The result of the third query is a list of IP addresses that are subsequently parsed by the client to build the executable payload. The last piece of data sent by the C2 server corresponds to a range of commands (numbered 0-14 in Windows, and 0-4, 10-12, and 100 in Linux) for the bot to execute the payload via cmd.exe or by injecting it into multiple running processes such as Windows File Explorer or Notepad. "The complexity of Anchor's C2 communication and the payloads that the bot can execute reflect not only a portion of the Trickbot actors' considerable capabilities, but also their ability to constantly innovate, as evidenced by their move to Linux," De Souza said. Found this article interesting? Follow THN on Facebook, Twitter  and LinkedIn to read more exclusive content we post. SHARE      Share Tweet Share Share  Share on Facebook Share on Twitter Share on Linkedin Share on Reddit Share on Hacker News Share on Email Share on WhatsApp Share on Facebook Messenger Share on Telegram Comments SHARE  banking malware, botnet, Cyber Attack, hacking news, linux, Malware, Trickbot Popular This Week A Critical Random Number Generator Flaw Affects Billions of IoT Devices IT Giant Accenture Hit by LockBit Ransomware; Hackers Threaten to Leak Data Hackers Spotted Using Morse Code in Phishing Attacks to Evade Detection Microsoft Warns of Another Unpatched Windows Print Spooler RCE Vulnerability Bugs in Managed DNS Services Cloud Let Attackers Spy On DNS Traffic Microsoft Releases Windows Updates to Patch Actively Exploited Vulnerability Comments Latest Stories Other Stories Stamp out poor coding practices for good Download 'The Changing Face of Software Security 2021' to find out how. Learn how organizations cultivates world-class secure developers Read a senior application security engineer's story of working on the front lines to maintain their enviable, first-class security program. How to Mitigate PrintNightmare Vulnerability – A guide for mitigating Microsoft's Print Spooler vulnerability - PrintNightmare - for Windows Learn to Code — 13 Online Courses Learn to Code — Get 2021 Master Bundle of 13 Online Courses @ 99% OFF Online Courses and Software Ethical Hacking - Practical Training 10 courses + 1,236 lessons on latest techniques, forensics, malware analysis, network security and programming. 1000+ Premium Online Courses With course certification, Q/A webinars and lifetime access. Cybersecurity Certification Training CISA, CISM, CISSP, PMI-RMP, and COBIT 5 certifications. CompTIA IT Certification Training Lifetime access to 14 expert-led courses. Cybersecurity Newsletter — Stay Informed Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily. Email Follow Us 725,300 Followers 1,985,000 Followers 240,100 Followers 18,100 Subscribers 125,500 Followers About About Us Advertising Editorial Team Contact Pages RSS Feeds Deals Store Privacy Policy Copyright Policy Deals Exclusives Hacking Development Android  RSS Feeds  Contact Us  Telegram Channel © The Hacker News, 2019. All Rights Reserved.