The notorious TrickBot malware made a name for itself in 2019 when it started carrying out illegal activities including, credential theft, stealing personal information, Windows domain infiltration, and also acted as a malware dropper.
Up until now, TrickBot was known as a multi-purpose Windows malware with several modules affecting the operating system, but now one of the modules of the TrickBot framework dubbed “Anchor_DNS” has been ported to infect Linux devices. Anchor_DNS usually targets high-value systems to steal valuable financial information.
A security researcher named Waylon Grange, from Stage 2 Security, discovered that Anchor_DNS is ported to a Linux version called ‘Anchor_Linux.’ With evolution, the Linux version of the malware can target several IoT devices, including routers, VPN devices, and NAS devices running on Linux.
As analyzed by Advanced Intel’s Vitali Kremez, Anchor_Linux uses the following crontab entry to run every minute once installed:
*/1 * * * * root [filename]
Anchor_Linux TrickBot Malware
It has been discovered that the module cannot only act as a backdoor to infect Linux devices by dropping malware but also contains an embedded Windows TrickBot executable. Intezer, who found a sample of Anchor_Linux malware, says that it is a new “Lightweight backdoor with the ability to spread to neighboring Windows boxes using svcctl via SMB.”
Interestingly, with Anchor_Linux, bad actors can target non-Windows environments and pivot to Windows devices on the same network. Speaking to Bleeping Computer, Kremez said:
“The malware acts as covert backdoor persistence ..