- Alert (AA20-302A) talks about Ransomware Activity Targeting the Healthcare and Public Health Sector stating “As part of the new Anchor toolset, Trickbot developers created Anchor_DNS, a tool for sending and receiving data from victim machines using Domain Name System (DNS) tunneling”.
- The team behind Trickbot has been aggressively updating and deploying various modules including Anchor and Bazar Loader. These evolutionary changes to Trickbot are furthering their reach into high-value targets, including healthcare entities.
- Development continues on TrickBots Anchor project, with the addition of using ICMP for command and control communication.
TrickBot is the successor of Dyre[1,2] which at first was primarily focused on banking fraud in the same manner that Dyre utilized injection systems. TrickBot has shifted focus to enterprise environments over the years to incorporate everything from network profiling, mass data collection and lateral traversal exploits. This focus shift is prevalent in their inclusion of malware and techniques in their tertiary deliveries that target enterprise environments. Much like a company whose target will shift depending on what generates the best revenue.
Previous Anchor reporting:
- Anchor[3,4] projects connection of CyberCrime and APT
- Anchor includes DNS variant and POS variant using DNS[4,6]
- PowerTrick custom powershell framework for high profile victims
- Anchor project, linux version
While tracking Anchor we came across a sample with a few additions.
Pivoting on these additions shows an earlier sample was uploaded to VirusTotal with debugging symbols.
Ultimately the ICMP portion appears to be ran in sequence along with the DNS traffic, while the DNS traffic will be initiated by performing DNS queries which will be routed to the malicious nameservers. There’s plenty of good reports out there on Anchor DNS already including recently discovered linux version[3,4,6,7].
For the ICMP counterpart the traffic will be sent to the resolved IP of the domain name in question, this gives actors multiple avenues to maintain their infections while utilizing their other tools for pivoting around the environment.
All of the samples so far recovered use a hardcoded string for the traffic constructed.
Below we can see the traffic from a sandbox detonation showing this.
Above you can the DNS query for the C2 domain before it begins to perform DNS questions for exfiltration, what you can’t see in the sandbox run screen is the ICMP traffic. To see that you need to actually pull down the PCAP.
The ping contains 22 bytes of data of ‘
The bot then checks the response data of the 20th byte, which is listed as Command Related, using a switch statement.
Thanks to the sample with the debugging messages we can quickly map out some of the response byte possible meanings.
Trickbot has proven to be highly resilient and very nimble. They continue to evolve their platform and infrastructure. The addition of ICMP as a potential C2 channel only strengthens the module, and improves the ability for Trickbot to stay both persistent and stealth. Even recent attempts to disrupt Trickbot have proven only slightly effective, and for a limited time at that. It cannot be stressed enough that the actors behind these campaigns are very well resourced, very well staffed, and they will focus on targets with dangerous abandon. Defense against these threats requires similarly nimble controls, ala a layered defense that can evolve with the adversary.
Indicators of Compromise
Network signature on the hardcoded 4 byte string in the ICMP data.