IBM Security X-Force researchers have discovered a revamped version of the Trickbot Group’s AnchorDNS backdoor being used in recent attacks ending with the deployment of Conti ransomware. The Trickbot Group, which X-Force tracks as ITG23, is a cybercriminal gang known primarily for developing the Trickbot banking Trojan, which was first identified in 2016 and initially used to facilitate online banking fraud. The group has adapted in recent years to the ransomware economy by using its Trickbot and Bazarloader payloads to gain a foothold for ransomware attacks and through its close relationship with Conti Ransomware-as-a-Service (RaaS). ITG23 is also known for developing the Anchor malware framework, including the AnchorDNS variant, for use during attacks on high-profile targets following initial infection by Trickbot or Bazarbackdoor. AnchorDNS is notable for communicating with its Command-and-Control (C2) server using the DNS protocol. The upgraded backdoor, identified by IBM Security X-Force researchers as AnchorMail or Delegatz, now uses an email-based C2 server which it communicates with using SMTP and IMAP protocols over TLS. With the exception of the overhauled C2 communication mechanism, AnchorMail’s behavior aligns very closely to that of its AnchorDNS predecessor.
Analyst Notes
The Trickbot gang remains one of the most prolific cybercrime threat actors. As with all malware, the best defense is to have good endpoint detection and monitoring with an EDR solution, an internal SOC or a service like Binary Defense to triage the alerts, and to train users to spot and report phishing emails. Even the most sophisticated threat actors often use malicious documents attached to phishing emails to gain their initial access if they aren’t able to buy access from initial access brokers on underground forums.
