Efforts to disrupt TrickBot may have shut down most of its critical infrastructure, but the operators behind the notorious malware aren’t sitting idle.
According to new findings shared by cybersecurity firm Netscout, TrickBot’s authors have moved portions of their code to Linux in an attempt to widen the scope of victims that could be targeted.
TrickBot, a financial Trojan first detected in 2016, has been traditionally a Windows-based crimeware solution, employing different modules to perform a wide range of malicious activities on target networks, including credential theft and perpetrate ransomware attacks.
But over the past few weeks, twin efforts led by the US Cyber Command and Microsoft have helped to eliminate 94% of TrickBot’s command-and-control (C2) servers that were in use and the new infrastructure the criminals operating TrickBot attempted to bring online to replace the previously disabled servers.
Despite the steps taken to impede TrickBot, Microsoft cautioned that the threat actors behind the botnet would likely make efforts to revive their operations.
TrickBot’s Anchor Module
At the end of 2019, a new TrickBot backdoor framework called Anchor was discovered using the DNS protocol to communicate with C2 servers stealthily.
The module “allows the actors — potential TrickBot customers — to leverage this framework against higher-profile victims, said SentinelOne, adding the “ability to seamlessly integrate the APT into a monetization business model is evidence of a quantum shift.”
The variant, dubbed “Anchor_DNS,” enables the infected client to utilize DNS tunneling to establish communications with the C2 server, which in turn transmits data with resolved IPs as a response, NTT researchers said in a 2019 report.
But a new sample uncovered by Stage 2 Security researcher Waylon Grange in July found that Anchor_DNS has been ported to a new Linux backdoor version called “Anchor_Linux.”
“Often delivered as part of a zip, this malware is a lightweight Linux backdoor,” Grange said. “Upon execution it installs itself as a cron job, determines the public IP [address] for the host and then begins to beacon via DNS queries to its C2 server.”
How the C2 Communication Works Using Anchor
Netscout’s latest research decodes this flow of communication between the bot and the C2 server. During the initial setup phase, the client sends “c2_command 0” to the server along with information about the compromised system and the bot ID, which then responds with the message “signal /1/” back to the bot.
As an acknowledgment, the bot sends the same message back to the C2, following which the server remotely issues the command to be executed on the client. In the last step, the bot sends back the result of the execution to the C2 server.
“Every part of communication made to the C2 follows a sequence of 3 different DNS queries,” Netscout security researcher Suweera De Souza said.
A list of IP records denoting the data corresponding to the payload
The result of the third query is a list of IP addresses that are subsequently parsed by the client to build the executable payload.
The last piece of data sent by the C2 server corresponds to a range of commands (numbered 0-14 in Windows, and 0-4, 10-12, and 100 in Linux) for the bot to execute the payload via cmd.exe or by injecting it into multiple running processes such as Windows File Explorer or Notepad.
“The complexity of Anchor’s C2 communication and the payloads that the bot can execute reflect not only a portion of the Trickbot actors’ considerable capabilities, but also their ability to constantly innovate, as evidenced by their move to Linux,” De Souza said.