Targeting financial, manufacturing, and retail, Trickbot has begun deploying new tools and modules to steal data from their victims. Included in these new tools is the newly discovered Anchor malware: a stealthy backdoor that Trickbot downloads after infecting a victim’s computer. While Anchor is a completely different malware than Trickbot, it appears to be related to Trickbot through the use of shared server infrastructure. Additionally, Anchor identifies infected computers with a GUID that is almost identical to Trickbot’s GUID.
The initial Trickbot malware in these campaigns are delivered via email, therefore it is recommended to use caution when opening emails from unknown sources. The malicious email messages typically contain an attached Word document or Excel workbook file that uses macros to infect the computer on which the file is opened. Microsoft Office contains built-in protection in the form of a warning displayed when a file with macros is opened. It is up to each person who opens a document file to decide whether the source is trustworthy or not, and either click “Enable” to allow the macros to run or close the document without enabling macros. Most malicious document files and the email messages they arrive in contain instructions that are designed to trick recipients into enabling the macros, sometimes claiming that it is necessary to enable macros in order to read some “secure” or “protected” contents in the file. If the email says to enable macros and the source is unknown, its best to err on the side of caution and not enable macros. Additionally, investing in a proxy provider can help to defend against malware credential exfiltration.
For more information on Anchor and its DNS variant Anchor_DNS, a report by CyberReason is available here.