The creators of the TrickBot have once again updated their malware with new functionality and now it can target Linux devices through its new DNS command and control tool Anchor_DNS.
While TrickBot originally started out as a banking trojan, the malware has evolved to perform other malicious behaviors including spreading laterally through a network, stealing saved credentials in browsers, stealing cookies, checking a device’s screen resolution and now infecting Linux as well as Windows devices.
TrickBot is also malware-as-a-service and cybercriminals rent access to it in order to infiltrate networks and steal valuable data. Once this is done, they then use it to deploy ransomware such as Ryuk and Conti in order to encrypt devices on the network as the final stage of their attack.
At the end of last year, SentinelOne and NTT reported that a new TrickBot framework called anchor uses DNS to communicate with its C&C servers. Anchor_DNS is used to launch attacks against high-value and high-impact targets that posses valuable financial information. The TrickBot Anchor can also be used as a backdoor in APT-like campaigns which target both point-of-sale and financial systems.
Up until now, Anchor has been a Windows malware but Stage 2 Security researcher Waylon Grange discovered a new sample which shows that Anchor_DNS has been ported to a new Linux backdoor version called ‘Anchor_Linux’.
In addition to acting as a backdoor that can be used to drop and run malware on Linux devices, the malware also contains and embedded Windows TrickBot executable that can be used to infect Windows machines on the same network.
Once copied to a Windows device, Anchor_Linux then configures itself as a Windows service. After configuration, the malware is tarted on the Windows host and it connects back to an attacker’s C&C server where it receives commands to execute.
The fact that TrickBot has been ported to Linux is especially worrying since many IoT devices including routers, VPN devices and NAS devices run on Linux. Concerned Linux users can find out if they have been infected by looking for a log file at /tmp/anchor.log on their systems. If this file is found, users should perform a complete audit of their systems to search for the Anchor_Linux malware.