{ "id": "b4437c62-6db3-498e-91ac-c8bcb36f2acb", "created_at": "2026-04-29T08:22:17.267587Z", "updated_at": "2026-04-29T10:42:33.621662Z", "deleted_at": null, "sha1_hash": "2064b2bbc7185d8e61e90cea238173c64880272a", "title": "Anchor_dns malware goes cross platform", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 805220, "plain_text": "Anchor_dns malware goes cross platform\r\nBy Waylon Grange\r\nPublished: 2020-07-13 · Archived: 2026-04-29 07:12:09 UTC\r\n3 min read\r\nJul 13, 2020\r\nThe actors behind Trickbot, a high profile banking trojan, have recently developed a Linux port of their new DNS\r\ncommand and control tool known as Anchor_DNS.\r\nOften delivered as part of a zip, this malware is a lightweight Linux backdoor. Upon execution it installs itself as a\r\ncron job, determines the public ip for the host and then begins to beacon via DNS queries to its C2 server.\r\nBecause the DNS channel provides an indirect route for the malware to communicate the attackers aren’t provided\r\nwith the ip address of the victim. To mitigate this the malware utilizes public ip lookup services to determine\r\nwhere the target is located. Upon first run the malware will randomly select one of the following urls to find its\r\nexternal ip.\r\nPress enter or click to view image in full size\r\nIt then enters its main communication loop where it generates the DNS query and parses the result. The method\r\nfor generating the DNS query uses a similar format as the windows version described in this article by NTT but\r\nwith a few changes.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30\r\nPage 1 of 4\n\nanchor_dns is instead replaced with anchor_linux and the uname command is utilized to determine the\r\nhostname and linux version. The client_id is a 32 byte value hardcoded into the binary. LVER is the Linux version\r\nwhich is also used as part of the hostname. If my linux version is 5.6.0 the LVER would be L560 . Finally, the\r\npublic ip discovered above along with the payload is appended to the end. This is all combined as shown above\r\nwhich is then XOR’d with 0xb9 , hex encoded, and then prepended to the root C2 domain. In this case,\r\nbiillpi.com\r\nThe server responds with a number of A records which contain the encoded response in a similar format to that\r\noutlined by NTT.\r\nPress enter or click to view image in full size\r\nThe malware’s main functionality is to be a simple dropper. It has basic download and execute capabilities and\r\nwhen doing so on the linux host it will drop the payload to /tmp/\u003crandom_15_chars\u003e and execute via sh .\r\nGet Waylon Grange’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nMore interesting however is it that it also contains support for windows execution via smb shares and IPC. The\r\nsample also has a Windows version of the malware embedded inside that it can install on remote windows shares\r\nand then execute as a service. It utilizes the open source libsmb2 project to do this.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30\r\nPage 2 of 4\n\nGiven that the trickbot family has a history of harvesting putty credentials (see\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-adds-remote-application-credential-grabbing-capabilities-to-its-repertoire/) we see how this can be used to further propagate with in the victims network.\r\nThe further development of the anchor family of malware suggests the trickbot family intends to continue utilizing\r\nits new DNS based command and control comms. Given the generally lower rate of linux malware detection it is\r\nof the utmost importance organization closely monitor their network traffic and DNS resolutions.\r\nHashes:\r\n55754d178d611f17efe2f17c456cb42469fd40ef999e1058f2bfe44a503d877c\r\nC721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc\r\n7686a3c039b04e285ae2e83647890ea5e886e1a6631890bbf60b9e5a6ca43d0\r\nDomains:\r\n*.biillpi.com\r\nIPs:\r\n23.95.97.59\r\nYara:\r\nrule anchor_linux_dns\r\n{\r\nmeta:\r\n author = \"Stage 2 Security\"\r\n description = \"Trickbot anchor_linux\"\r\nstrings:\r\n $hdr = {7f 45 4c 46}\r\n $x1 = {80 74 0? ?? b9}\r\n $x2 = \"anchor_l\"\r\n $x3 = \"getaddrinfo\"\r\n $x4= \"IPC$\"\r\n $x5 = {48 ?? 2f 74 6d 70 2f 00 00 00}\r\n $x6 = \"test my ip\"\r\n $x7 = {73 6d 62 32 5f [4–7] 5f 61 73 79 6e 63 20}\r\n $x8 = \"Kernel32.dll\"\r\n $x9 = \"libcurl\"\r\n $x10 = \"/1001/\"\r\ncondition:\r\n $hdr at 0 and 7 of ($x*)\r\n}\r\nhttps://medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30\r\nPage 3 of 4\n\nSource: https://medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30\r\nhttps://medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30" ], "report_names": [ "anchor-dns-malware-family-goes-cross-platform-d807ba13ca30" ], "threat_actors": [ { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-29T10:39:55.666868Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1777450937, "ts_updated_at": 1777459353, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2064b2bbc7185d8e61e90cea238173c64880272a.pdf", "text": "https://archive.orkl.eu/2064b2bbc7185d8e61e90cea238173c64880272a.txt", "img": "https://archive.orkl.eu/2064b2bbc7185d8e61e90cea238173c64880272a.jpg" } }