The Trickbot Band does a significant amount of damage to typical Emotet incidents. Emotet loads their malware onto the infected systems, so that their masters and master can finally encrypt important data and demand a ransom (see Emotet, Trickbot, Ryuk – an explosive malware cocktail). Now a security researcher has discovered a Linux port of the trickbot tool Anchor_DNS – and that means trouble.
The trickbot gang is known for its sophisticated attack methods. Anchor_DNS, for example, is a tool that the Domain Name System (DNS) uses to communicate with the control server. This has two advantages: First, the defenders and their tools no longer see access to suspicious IP addresses. And secondly, this also works if the infected computer itself has no connection to the Internet – for example, on an internal server. The system only needs to be able to resolve DNS names.
Linux systems infect Windows
Waylon Grange now has this trick bot tool in a Linux version discovered and analyzed. Anchor_linux anchors itself as a cron job in the system. How it gets there is not clear, but Trickbot collects SSH keys on infected systems, among other things. The Linux server could therefore be infected via the SSH access of an administrator whose workstation was previously compromised. IoT devices with known back door access are of course also potential victims.
The Linux Trojan transmits data via DNS to its control server and receives commands and files from it. It works similarly to the already known Windows versions. It also has functions to infect Windows systems. To do this, he copies a Windows Trojan to a file share and then configures it via IPC as a service that can be started automatically.
The expansion of activities to Linux systems is certainly an obvious step from the perspective of the Trickbot gang. For incident response teams that have to analyze trickbot or emotet incidents, this is extremely bad news. In the course of their activities, they will have to examine all systems that run under Linux and that may be infected. That means not only servers, but also printers, routers, and so on and so on. Because a single, overlooked Anchor_linux means that the criminals can reactivate the network immediately after cleaning and the evil game starts all over again.