TrickBot, a multi-purpose Windows malware, has evolved as one of the reliable backdoor for several other payloads. In a recent report, a researcher found that TrickBot’s Anchor malware is now present with a new Linux version.
TrickBot Anchor_Linux malware
Named as Anchor_Linux, the malware carries a Windows executable designed to infect both Linux and Windows systems on the same network.
- The malware first infects Linux systems and can travel through those to drop the payloads at Windows machines.
- According to researchers, the malware acts as a covert backdoor persistence tool in the UNIX environment that lets the malware pivot to Windows.
- Many IoT devices like routers, computers, VPN devices, and NAS devices running Linux distributions could potentially be affected by the TrickBot’s Anchor_Linux malware.
- A log file (/tmp/anchor.log) existence on a Linux system is proof that the user is infected by the Anchor_Linux malware.
Roots of the Anchor_Linux malware
The Anchor_Linux malware has been derived by porting the Anchor_DNS malware to a new Linux backdoor version.
- The Anchor_DNS malware has been used on high-value, high-impact targets with valuable financial information.
- In an attack campaign in December 2019, threat actors used a new variant of the rare Anchor_DNS tool as a backdoor to stealthily communicate with C2 servers.
The next steps
It is believed that Anchor_Linux is still under development due to the testing functionality present in the Linux executable. Security experts say Linux systems and IoT devices must have adequate protection and monitoring to detect threats like Anchor_Linux.