A joint effort was made to shut down the malicious infrastructure used to launch TrickBot malware attacks, however even though this attempt was successful recent findings discovered that the Linux versions continue to attack hosts. The Linux variant has been found to be active in several campaigns continuing on the virus’s intentions. TrickBot is widely considered to be one of the most dangerous malware in the last few years.
TrickBot Linux Version Continues To Attack Networks
Even though the main TrickBot criminal infrastructure was disabled by a collective of security experts in recent times, the cybersecurity company Netscout reports that efforts have been moved to the Linux version of the malware. This means that the main development group has transferred their efforts into another group of machines that are set as the new target. This particular malware started its infection in 2016 by targeting mainly Windows-based computers. Over the years several different hacking groups have been used to modify the code base and add in different modules. This has prompted various security companies and researchers to create proactive defenses against the ongoing intrusions.
Over the past few weeks, a joint group between the US Cyber Command and Microsoft was able to eliminate a large part of the hacker-controlled servers. This almost eradicated the threat and remedied a lot of ongoing attacks that were stopped. However, this did not stop the infections altogether. A research group from a company called Netscout reported that new findings surrounding Trickbot’s resurgence in its Linux variant. Apparently, hacking groups have transferred their efforts into developing this part of the malware instead of the Windows one.
This is evident in a recent development called Anchor which was created in the end of 2019 which is categorized as a backdoor framework based on TrickBot. One of the distinct features of it is that it relies on the DNS protocol to communicate with the hacker-designated servers in a way that is hard to track. This makes virus detection very difficult. Using this new framework the made infections will allow greater abuse as the ongoing attacks are hard to detect and mitigate.
In the latest update of Anchor the codebase has been moved to Linux which shows that the intentions of the hackers are to focus on this platform. The captured samples shows that a new infection sequence is implemented:
- Initial Infection — Through the use of different malware distribution tactics the Anchor TrickBot framework will be deployed to the target host. When this is done the relevant execution code will be started.
- Persistent Installation — By inserting itself as a cron job the virus will be installed as a system component. Depending on the configuration this may bypass certain security features, start automatically when the computer is powered on, and may change important configuration values.
- Information Gathering — The code analysis shows that the engine will reveal the public IP address of the infected computers and relay it to the hackers. A change in this section of the malware configuration can include other data that is to be hijacked: personal user’s files, application data, and operating system values.
- Server Connection — The final phase is the actual connection to the hacker-controlled server. This allows the hackers to completely take over the machines, spy on the victims, and access their data.
Research into the hacking campaign continues on. We hope that soon these infections can be effectively stopped as well.
Martin Beltov
Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.
Follow Me: