IBM Security X-Force researchers have discovered a revamped version of the Trickbot Group’s AnchorDNS backdoor being used in recent attacks ending with the deployment of Conti ransomware. The Trickbot Group, which X-Force tracks as ITG23, is a cybercriminal gang known primarily for developing the Trickbot banking Trojan, which was first identified in 2016 and initially used to facilitate online banking fraud. The group has adapted in recent years to the ransomware economy by using its Trickbot and Bazarloader payloads to gain a foothold for ransomware attacks and through its close relationship with the Conti ransomware-as-a-service (RaaS).
ITG23 is also known for developing the Anchor malware framework, including the AnchorDNS variant, in 2018 for use during attacks on high-profile targets following initial infection by Trickbot or Bazarbackdoor, an additional backdoor developed by ITG23. AnchorDNS is notable for communicating with its Command and Control (C2) server using the DNS protocol. The upgraded backdoor, identified by IBM Security X-Force researchers as AnchorMail or Delegatz, now uses an email-based C2 server which it communicates with using SMTP and IMAP protocols over TLS. With the exception of the overhauled C2 communication mechanism, AnchorMail’s behavior aligns very closely to that of its AnchorDNS predecessor.
The discovery of this new Anchor variant adds a new stealthy backdoor for use during ransomware attacks and highlights the group’s commitment to upgrading its malware.
Upon execution, AnchorMail creates a scheduled task for persistence which is set to run every 10 minutes. It then collects basic system information, registers with its C2 and enters a loop of checking for and executing received commands. The backdoor’s command structure is also very similar to that of AnchorDNS and both ..
Support the originator by clicking the read the rest link below.
