Cybereason, creators of the leading Cyber Defense Platform, today released an investigative research report from its Nocturnus Research Group titled ‘Dropping Anchor: From a TrickBot Infection to the Discovery of the Anchor Malware’ looking at a new series of hacking campaigns against financial, manufacturing, and retail businesses across the United States and Europe.
“We chose not to discuss attribution in this research, but the nature of these attacks appear to be aligned with the financially-motivated FIN6 threat actor, a group that is known to target POS systems and has been linked to TrickBot infections in the past. The gravity and danger that lies in commodity malware infections have the potential of escalating into a hacking operation with a disastrous outcome, whether it be a ransomware infection or theft of sensitive financial data,” said Assaf Dahan, Cybereason, Senior Director, Head of Threat Research.
Earlier this year, Cybereason researchers uncovered a severe threat using the Emotet and TrickBot trojans to deliver Ryuk ransomware. The dropping anchor campaign started with a TrickBot infection and progressed into a hacking operation targeting sensitive financial systems.
While previous operations focused on causing ransomware infections by compromising critical assets like the domain controller, this new operation targets Point-of-Sale (PoS) systems. The campaign leverages a newly discovered malware family called Anchor exclusively for high-profile targets.
Additional Dropping Anchor Research Highlights Include:
- Targets POS Systems: The attacks target POS systems to steal sensitive information by taking over critical assets in the victims’ network.
- Deploys A Backdoor on High-value Targets: On certain high-profile targets, the attackers selectively use a new variant of the rare Anchor_DNS tool. Anchor_DNS is a backdoor that uses the DNS protocol to stealthily communicate with C2 servers.
- Uses a New, Undocumented Malware: In addition to the new Anchor_DNS variant, the attackers use a completely new and previously undocumented malware dubbed Anchor. Anchor has been in operation since August 2018 and appears to be tightly related to TrickBot.
- Adds Enhancements to TrickBot: This attack adds a new and enhanced stealing module to TrickBot that focuses on stealing passwords from various products, including the KeePass password manager.
- Uses Known Tools for Reconnaissance and Lateral Movement: The majority of the initial interactive hacking operation uses the known tools Meterpreter, PowerShell Empire, and Cobalt Strike for reconnaissance and lateral movement.
- Abuses the Trust of Certificate Authorities: Many of the payloads in the attacks are signed binaries, which demonstrates the ever-growing trend of signed threats that abuse the trust of certificate authorities to bypass detection.