IBM Security X-Force researchers have discovered a revamped version of the Trickbot Group’s AnchorDNS backdoor being used in recent attacks ending with the deployment of Conti ransomware. The Trickbot Group, which X-Force tracks as ITG23, is a cybercriminal gang known primarily for developing the Trickbot banking Trojan, which was first identified in 2016 and initially used to facilitate online banking fraud. The group has adapted in recent years to the ransomware economy by using its Trickbot and Bazarloader payloads to gain a foothold for ransomware attacks and through its close relationship with Conti Ransomware-as-a-Service (RaaS). ITG23 is also known for developing the Anchor malware framework, including the AnchorDNS variant, for use during attacks on high-profile targets following initial infection by Trickbot or Bazarbackdoor. AnchorDNS is notable for communicating with its Command-and-Control (C2) server using the DNS protocol. The upgraded backdoor, identified by IBM Security X-Force researchers as AnchorMail or Delegatz, now uses an email-based C2 server which it communicates with using SMTP and IMAP protocols over TLS. With the exception of the overhauled C2 communication mechanism, AnchorMail’s behavior aligns very closely to that of its AnchorDNS predecessor.
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is