FIN6 Uses TrickBot’s Anchor Malware Framework

Delaware, USA – April 9, 2020 – Trickbot operators began to collaborate with another advanced threat actor and provide hackers with access to infected systems on the networks of high-profile targets and a multi-functional malware framework. Researchers at IBM X-Force have discovered traces of the FIN6 cybercriminal group in a recent Anchor malware distribution campaign using the TrickBot Trojan. The FIN6 group (also known as ITG08) specializes in data theft through PoS terminals and e-commerce sites in the US and Europe. Over the past six months, researchers have recorded a wave of attacks using Anchor and PowerTrick modules. IBM X-Force does not disclose the names of the targets, however, researchers report that corporate networks including POS systems were mostly affected. The primary infection vector is spam emails. According to the researchers, after the system was infected, TrickBot operators sell access to it to FIN6 members, who then use Anchor and PowerTrick to move laterally across the attacked networks. The number of affected organizations is still unknown.

Trickbot operators also continue to work with the Ryuk gang, one of the few groups that continue to attack hospitals and Healthcare organizations during the COVID-19 pandemic threatening not only data but also the lives of many critically ill patients. Anchor framework is a powerful post-exploitation modular tool that communicates over DNS, allows attackers to move laterally and install other malware. PowerTrick is PowerShell-based backdoor that is often used for Anchor framework delivery. Content available at Threat Detection Marketplace to uncover TrickBot attacks:
TrickBot Being Spread by Word Document – https://tdm.socprime.com/tdm/info/MclO9rUCJ7NP/
Data stealing from Internet Explorer via esentutl.exe (Trickbot behavior) – https://tdm.socprime.com/tdm/info/F5vwfFRry98x/
Active Directory credentials stealing via Trickbot – https://tdm.socprime.com/tdm/info/Gq7NllvleN5G/
TrickBot behaviour (Privilege escalation attack) – https://tdm.socprime.com/tdm/info/hnFSkaXV5vHs/