Home Malware Programs Backdoors Anchor


Posted: December 16, 2019

TrickBot has been one of the most popular malware families in the past two years, and it is being used aggregated with other innovative cyber-threats that aim to enhance TrickBot's functionality frequently. One of the most recent campaigns to involve the TrickBot Trojan also introduced a new malware family to cybersecurity experts – the Anchor Backdoor Trojan. This malware family has not been used in previous attacks, and so far, it has not been used without being accompanied by TrickBot. There are speculations that the authors of the Anchor backdoor might be the same people responsible for the creation and development of TrickBot.

The list of features that the Anchor backdoor supports is not that impressive, but its authors have opted for an innovative communication protocol that is used to retrieve commands from the control server. Often, this task is handled with the use of the HTTP protocol, but the threat actor behind the Anchor backdoor has opted to use the DNS protocol for this purpose. This is a special feature many conventional security products do not monitor or filter DNS communications actively since this may often cause problems for legitimate tools. Of course, using the DNS protocol also has some setbacks- the active copy of the Anchor backdoor cannot exfiltrate meaningful data from the compromised host. It is only able to retrieve and execute commands without returning a response.

A Combination of TrickBot and Anchor is Used against the Retail Sector

The Anchor backdoor is able to execute remote commands on the compromised host, as well as retrieve and initialize additional payloads on the compromised host. It appears that the combination of TrickBot and Anchor has been used against point-of-sale devices exclusively, which might mean that the threat actor behind the recent campaign is motivated financially. Security researchers report that one of the likely suspects is the FIN6 hacking group, but there is no way to confirm this yet.

The Anchor backdoor continues to be improved by its operators actively, and it is very likely that it will be employed in future attacks. Businesses can secure their networks against high-profile cyber-threats like this one by employing the best security practices and relying on the defense mechanisms of reputable anti-virus products.

Related Posts