Linux users, beware: TrickBot malware is no longer Windows-exclusive
TrickBot has been ported to Linux
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
The creators of theTrickBothave once again updated their malware with new functionality and now it can target Linux devices through its new DNS command and control tool Anchor_DNS.
While TrickBot originally started out as a banking trojan, the malware has evolved to perform other malicious behaviors including spreading laterally through a network, stealing saved credentials in browsers, stealing cookies,checking a device’s screen resolutionand now infecting Linux as well as Windows devices.
TrickBot is also malware-as-a-service and cybercriminals rent access to it in order to infiltrate networks and steal valuable data. Once this is done, they then use it to deployransomwaresuch as Ryuk and Conti in order to encrypt devices on the network as the final stage of their attack.
At the end of last year, SentinelOne and NTT reported that a new TrickBot framework called anchor uses DNS to communicate with its C&C servers. Anchor_DNS is used to launch attacks against high-value and high-impact targets that posses valuable financial information. The TrickBot Anchor can also be used as a backdoor in APT-like campaigns which target bothpoint-of-saleand financial systems.
Anchor_DNS
Up until now, Anchor has been a Windows malware but Stage 2 Security researcherWaylon Grangediscovered a new sample which shows that Anchor_DNS has been ported to a new Linux backdoor version called ‘Anchor_Linux’.
In addition to acting as a backdoor that can be used to drop and run malware on Linux devices, the malware also contains and embedded Windows TrickBot executable that can be used to infect Windows machines on the same network.
Once copied to a Windows device, Anchor_Linux then configures itself as a Windows service. After configuration, the malware is tarted on the Windows host and it connects back to an attacker’s C&C server where it receives commands to execute.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
The fact that TrickBot has been ported to Linux is especially worrying since manyIoTdevices including routers, VPN devices and NAS devices run on Linux. Concerned Linux users can find out if they have been infected by looking for a log file at /tmp/anchor.log on their systems. If this file is found, users should perform a complete audit of their systems to search for the Anchor_Linux malware.
ViaBleepingComputer
After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.
HPE reveals critical security bug affecting networking access points
A critical Palo Alto Networks bug is being hit by cyberattacks, so patch now
Scammers are using fake copyright infringement claims to hack businesses
