TrickBot threat group’s AnchorDNS has improved and evolved into a more malicious backdoor called AnchorMail, wherein the group utilised and adopted in recent attacks to launch the Conti ransomware.
Researchers have warned organizations about this new threat since several new techniques have been executed to compromise targeted networks using the new backdoor and it is believed to be another attempt of the threat group to improve their TTPs further.
This recent discovery of the AnchorMail backdoor during ransomware operations, also known as Delegatz, indicates the TrickBot group’s devotion to enhancing their malware.
The new upgraded TrickBot backdoor variant utilises an email-based command-and-control server. Instead of Transport Layer Security, it communicates using “Internet Message Access” and “Simple Mail Transfer” protocols.
During their post-execution, AnchorMail develops a scheduled task for persistence that operates every 10 minutes of interval. It gathers standard system information, registers with its command-and-control server, and enters a loop of reviewing for and executing obtained commands.
According to a recent analysis of the return sample of AnchorMail, the researchers discovered that the newly developed backdoor’s behaviour aligns with its previous version, AnchorDNS.
The command infrastructure of AnchorMail is exceptionally identical to its predecessor. The new and old variants also accept the same command codes that give different operating commands and payloads from the command-and-control server.
Experts’ examinations showed that AnchorMail is coded in C++ servers and exclusively targets Windows systems. However, since DNS is ported to Linux Operating System, there is a high probability that a Linux strain of AnchorMail will exist soon.
The TrickBot is still one of the most hostile threat actors globally that constantly upgrades its malware.
Experts suggest that individuals should have good monitoring, detection, response solutions, and an integral internal system on a chip. They also recommend that organizations train their employees to identify phishing emails.
