Targeted Attacks Deliver New “Anchor” Malware to High-Profile Companies
TrickBot/Anchor Campaign Could be a New Targeted Magecart Attack Against High-Profile Companies
TrickBot has been used in 2019 campaigns to deliver ransomware such as Ryuk and Lockergoga. Now, a new campaign that started in October is being used to deliver financial malware against financial, manufacturing and retail organizations. The ultimate target is the companies’ point-of-sale (POS) systems.
The campaign is being monitored by the Cybereason Nocturnus research group. It starts with a phishing attack to deliver TrickBot, write the researchers, and ultimately delivers a relatively new malware family, Anchor. It exclusively targets high-profile companies.
The version of Anchor used in this campaign seems to have been around since August 2018 or earlier, but is previously undocumented. It is delivered by an enhanced version of TrickBot that focuses on stealing passwords from various products, including the KeePass password manager. The researchers comment that Anchor “appears to be tightly connected to TrickBot, potentially even authored by the same individuals who created TrickBot.”
Cybereason does not attempt any attribution for this campaign. Nevertheless. it mentions FIN6 within its report because of similarities in style and content, commenting, “some of the tools and techniques detailed, have certain resemblance to past attacks that were linked to the financially-motivated FIN6 threat actor.” On the tools used within the campaign, it notes, “Both Meterpreter and Cobalt Strike are legitimate penetration testing tools that have been repeatedly used by various threat actors, including the FIN6 threat actor.” No other threat group is mentioned within the report.
These are observations rather than attributions. “We do not attribute this attack to FIN6,” Assaf Dahan, senior director, head of threat research at Cybereason, told SecurityWeek. “In our blog we draw the reader’s attention to some similarities in tools and techniques previously used in attacks attributed to FIN6.”
However, in relation to the POS targets, he also said, “In the attacks that we saw, the purpose of the hacking was to deploy malware that can scrape the memory in order to extract credit card information and other sensitive data.”
If we go with the idea that the campaign is indeed being undertaken by FIN6, it is worth noting that the group has already been associated with the Magecart 6 group. Magecart is an attack methodology that focuses on payment detail POS skimming. It has to be accepted that there is at least a possibility that this advanced campaign targeting high-profile companies should be classified as another Magecart attack by a known Magecart group.
The campaign starts with phishing. It has a link to a file hosted on Google Docs, titled ‘Annual Bonus Report.doc’, that is disguised as a Word document. It is really the TrickBot downloader, activated when the victim tries to access the document. While the download is in process, the file disguises the action by suggesting that the user may need to update Word or try again from a different computer.
Once downloaded (most of the initial payloads in the campaign are signed with valid certificates), the TrickBot payload is injected into an svchost.exe process. TrickBot steals data, including the location of the victim and where possible the master key to KeePass (obtained by a dictionary attack using PoshKPBrute), and sends it to a hardcoded C2 server.
Reconnaissance is performed by a combination of crafted PowerShell commands and legitimate Windows processes including nltest.exe, net.exe, ipconfig.exe, whoami.exe, and nslookup.exe. It also investigates whether it can spread to other systems in the network.
If the information obtained suggests a high value target, the attackers switch to interactive hacking for further reconniassance, lateral movement and the deployment of additional malware. “Using Meterpreter,” explain the researchers, “the attackers injected Cobalt Strike and other Metasploit payloads into the rundll32.exe process.”
If the victim is among those targeted, a version of Anchor malware is downloaded. During its investigation, the researchers discovered a new version of Anchor_DNS. This was originally discovered and described by NTT Security in October 2019, and — continuing the TrickBot connection — classified at the time as a variant of TrickBot. It uses DNS tunneling for stealthy C2 communication, and was probably in use as early March.
The new version, say the researchers, “acts as a sophisticated, stealthy backdoor that selectively chooses high-profile targets. Anchor_DNS is still undergoing rapid development cycles with code changes and new feature updates every few weeks.”
The researchers also found unidentified malware linked to TrickBot infections, and dating back to August 2018. This malware is called ‘Anchor’ by its authors. It does not communicate over DNS, but shares many behavioral, code and string similarities to Anchor_DNS, and some to TrickBot. “Anchor and Anchor_DNS,” say the researchers, “are both directly linked to TrickBot infections, as they are downloaded by TrickBot as secondary payloads.”
They continue, “Both Anchor and Anchor_DNS are directly related to TrickBot infections and have code similarities, and sometimes also share C2 infrastructure with TrickBot. Anchor_DNS uses various techniques to keep itself under-the-radar, such as communication over DNS, and the reliance on specific command-line arguments in order to run properly. Through these techniques, it is able to evade many security products including certain sandboxes and AV vendors.”
It seems possible, but not proven, that the actor behind this campaign is FIN6, and that this is another example of a targeted Magecart attack. It also seems likely that the developer behind Anchor is the same developer behind TrickBot.