The notorious TrickBot malware made a name for itself in 2019 when it started carrying out illegal activities including, credential theft, stealing personal information, Windows domain infiltration, and also acted as a malware dropper.
Up until now, TrickBot was known as a multi-purpose Windows malware with several modules affecting the operating system, but now one of the modules of the TrickBot framework dubbed “Anchor_DNS” has been ported to infect Linux devices. Anchor_DNS usually targets high-value systems to steal valuable financial information.
A security researcher named Waylon Grange, from Stage 2 Security, discovered that Anchor_DNS is ported to a Linux version called ‘Anchor_Linux.’ With evolution, the Linux version of the malware can target several IoT devices, including routers, VPN devices, and NAS devices running on Linux.
As analyzed by Advanced Intel’s Vitali Kremez, Anchor_Linux uses the following crontab entry to run every minute once installed:
*/1 * * * * root [filename]
It has been discovered that the module cannot only act as a backdoor to infect Linux devices by dropping malware but also contains an embedded Windows TrickBot executable. Intezer, who found a sample of Anchor_Linux malware, says that it is a new “Lightweight backdoor with the ability to spread to neighboring Windows boxes using svcctl via SMB.”
Interestingly, with Anchor_Linux, bad actors can target non-Windows environments and pivot to Windows devices on the same network. Speaking to Bleeping Computer, Kremez said:
“The malware acts as covert backdoor persistence tool in UNIX environment used as a pivot for Windows exploitation as well as used as an unorthodox initial attack vector outside of email phishing. It allows the group to target and infect servers in UNIX environment (such as routers) and use it to pivot to corporate networks.”
Security researchers say that Linux users can check if Anchor_linux has targeted their system by searching for the “/tmp/Anchor.log” file. If such a file exists, it is recommended that Linux users must scan the system for the notorious malware.
The security researchers believe that Anchor_Linux is still in initial stages, and it will continue to evolve, making it more harmful for systems.