The initial Trickbot malware in these campaigns are delivered via email, therefore it is recommended to use caution when opening emails from unknown sources. The malicious email messages typically contain an attached Word document or Excel workbook file that uses macros to infect the computer on which the file is opened. Microsoft Office contains built-in protection in the form of a warning displayed when a file with macros is opened. It is up to each person who opens a document file to decide whether the source is trustworthy or not, and either click “Enable” to allow the macros to run or close the document without enabling macros. Most malicious document files and the email messages they arrive in contain instructions that are designed to trick recipients into enabling the macros, sometimes claiming that it is necessary to enable macros in order to read some “secure” or “protected” contents in the file. If the email says to enable macros and the source is unknown, its best to err on the side of caution and not enable macros. Additionally, investing in a proxy provider can help to defend against malware credential exfiltration.

For more information on Anchor and its DNS variant Anchor_DNS, a report by CyberReason is available here.