Linux users, beware: TrickBot malware is no longer Windows-exclusive

The creators of the TrickBot have after once more up to date their malware with new functionality and now it can concentrate on Linux gadgets by way of its new DNS command and control tool Anchor_DNS.

While TrickBot originally started out out as a banking trojan, the malware has advanced to complete other malicious behaviors such as spreading laterally by way of a community, stealing saved credentials in browsers, stealing cookies, checking a device’s display screen resolution and now infecting Linux as very well as Windows gadgets.

TrickBot is also malware-as-a-services and cybercriminals lease obtain to it in get to infiltrate networks and steal important facts. As soon as this is completed, they then use it to deploy ransomware this kind of as Ryuk and Conti in get to encrypt gadgets on the community as the final phase of their attack.

At the finish of last yr, SentinelOne and NTT reported that a new TrickBot framework called anchor utilizes DNS to connect with its C&C servers. Anchor_DNS is used to start assaults against higher-worth and higher-effects targets that posses important money details. The TrickBot Anchor can also be used as a backdoor in APT-like campaigns which concentrate on both point-of-sale and money programs.


Up right up until now, Anchor has been a Windows malware but Stage two Stability researcher Waylon Grange identified a new sample which shows that Anchor_DNS has been ported to a new Linux backdoor model called ‘Anchor_Linux’.

In addition to acting as a backdoor that can be used to drop and operate malware on Linux gadgets, the malware also includes and embedded Windows TrickBot executable that can be used to infect Windows devices on the same community.

As soon as copied to a Windows machine, Anchor_Linux then configures by itself as a Windows services. Following configuration, the malware is tarted on the Windows host and it connects back again to an attacker’s C&C server wherever it receives commands to execute.

The fact that TrickBot has been ported to Linux is specifically stressing considering the fact that several IoT gadgets such as routers, VPN gadgets and NAS gadgets operate on Linux. Worried Linux users can uncover out if they have been contaminated by wanting for a log file at /tmp/anchor.log on their programs. If this file is observed, users ought to complete a complete audit of their programs to search for the Anchor_Linux malware.

By using BleepingComputer

Leave a Reply

Your email address will not be published. Required fields are marked *