Efforts to disrupt TrickBot could have shut down most of its crucial infrastructure, however the operators behind the infamous malware aren’t sitting idle.
Based on new findings shared by cybersecurity agency Netscout, TrickBot’s authors have moved parts of their code to Linux in an try and widen the scope of victims that may very well be focused.
TrickBot, a monetary Trojan first detected in 2016, has been historically a Home windows-based crimeware answer, using completely different modules to carry out a variety of malicious actions on course networks, together with credential theft and perpetrate ransomware assaults.
However over the previous few weeks, twin efforts led by the US Cyber Command and Microsoft have helped to get rid of 94% of TrickBot’s command-and-control (C2) servers that have been in use and the brand new infrastructure the criminals working TrickBot tried to carry on-line to switch the beforehand disabled servers.
Regardless of the steps taken to impede TrickBot, Microsoft cautioned that the menace actors behind the botnet would seemingly make efforts to revive their operations.
TrickBot’s Anchor Module
On the finish of 2019, a brand new TrickBot backdoor framework referred to as Anchor was found utilizing the DNS protocol to speak with C2 servers stealthily.
The module “permits the actors — potential TrickBot prospects — to leverage this framework towards higher-profile victims, mentioned SentinelOne, including the “potential to seamlessly combine the APT right into a monetization enterprise mannequin is proof of a quantum shift.”
Certainly, IBM X-Pressure noticed new cyberattacks earlier this April revealing collaboration between FIN6 and TrickBot teams to deploy the Anchor framework towards organizations for monetary revenue.
The variant, dubbed “Anchor_DNS,” permits the contaminated shopper to make the most of DNS tunneling to ascertain communications with the C2 server, which in flip transmits information with resolved IPs as a response, NTT researchers mentioned in a 2019 report.
However a brand new pattern uncovered by Stage 2 Safety researcher Waylon Grange in July discovered that Anchor_DNS has been ported to a brand new Linux backdoor model referred to as “Anchor_Linux.”
“Usually delivered as a part of a zipper, this malware is a light-weight Linux backdoor,” Grange mentioned. “Upon execution it installs itself as a cron job, determines the general public IP [address] for the host after which begins to beacon through DNS queries to its C2 server.”
How the C2 Communication Works Utilizing Anchor
Netscout’s newest analysis decodes this stream of communication between the bot and the C2 server. In the course of the preliminary setup section, the shopper sends “c2_command 0” to the server together with details about the compromised system and the bot ID, which then responds with the message “sign /1/” again to the bot.
As an acknowledgment, the bot sends the identical message again to the C2, following which the server remotely points the command to be executed on the shopper. Within the final step, the bot sends again the results of the execution to the C2 server.
“Each a part of communication made to the C2 follows a sequence of three completely different DNS queries,” Netscout safety researcher Suweera De Souza mentioned.
A listing of IP information denoting the information equivalent to the payload
The results of the third question is a listing of IP addresses which are subsequently parsed by the shopper to construct the executable payload.
The final piece of knowledge despatched by the C2 server corresponds to a spread of instructions (numbered 0-14 in Home windows, and 0-4, 10-12, and 100 in Linux) for the bot to execute the payload through cmd.exe or by injecting it into a number of working processes equivalent to Home windows File Explorer or Notepad.
“The complexity of Anchor’s C2 communication and the payloads that the bot can execute replicate not solely a portion of the Trickbot actors’ appreciable capabilities, but in addition their potential to continually innovate, as evidenced by their transfer to Linux,” De Souza mentioned.