TrickBot Anchor Project Welcomes APT Groups with Open Arms

Delaware, USA – December 12, 2019 – TrickBot operators offer access to high-profile targets not only to other cybercriminals but also to state-sponsored threat actors. In October, NTT Security published a report on the appearance of a new and much more advanced version of the TrickBot – Anchor project. Researchers believe that attackers evaluate the victim’s ‘value’ after infection, and if it is of particular interest, replace the regular version of TrickBot with the Anchor variant. Among the features of this variant, it is worth noting that all communications occur over DNS, and one of the modules provides reliable removal of traces of malware, making forensics more difficult.

Researchers from SentinelOne during the investigation discovered a framework of tools that can satisfy the needs of both ordinary cybercriminals and infamous APT groups. And some of the state-sponsored groups have already managed to take advantage of the offered range of services: on one of the infected systems, researchers found a task that downloaded PowerRatankba PowerShell-based malware from the infrastructure of the Lazarus group known from previous campaigns. PowerRatankba backdoor is commonly used by the group to deliver multiple payloads and additional hacking tools. The use of TrickBot malware by Lazarus group to initially penetrate the organization of interest should cause anxiety to the cybersecurity community and it can be used by TrickBot operators to attract other APT groups. It is also worth noting that the Lazarus group is “closer” to ordinary cybercriminals, as they conduct not only cyber espionage campaigns but also financially motivated attacks.

Content available on Threat Detection Marketplace to uncover this threat:
DNS Security Check rule pack –
TrickBot behaviour (Privilege escalation attack) –
TrickBot Malware Detector (Sysmon Behavior) (July 2019) –
Trickbot Malware (YARA rule) –
Trickbot Execution –