Researchers are warning enterprise organizations that a revamped version of the Anchor malware has been observed targeting Windows systems. Anchor is a known backdoor that has been used in attacks by the group behind the Trickbot malware.
First uncovered in 2018, the Anchor malware has previously been utilized to communicate with the command-and-control (C2) server, with the end goal of deploying the Conti ransomware. Researchers said that the installation framework of the malware has been used by some of the “most notorious threat actors” to target organizations in the healthcare, finance, telecoms, education and critical infrastructure sectors. While previously, Anchor used the DNS protocol to communicate with the C2, the newly discovered variant, which researchers with IBM Security X-Force called AnchorMail, now utilizes an email-based C2 server and communicates via the SMTP and IMAP protocols over TLS.
This helps attackers avoid detection, as a high-level inspection of the affected network traffic would show a series of properly crafted email messages exchanged between a client and a server, said John Dwyer, head of research with IBM Security X-Force.
It’s not uncommon for adversaries and malware to redirect or tunnel C2 channels over ports which are commonly allowed to traverse border firewalls to communicate with the Internet," said Dwyer. "In response, network security solutions have adapted to these techniques by incorporating detections to identify abnormal traffic within common network protocols. AnchorMail increases detection difficulty by encrypting the data over SMTPS/IMAPS protocols, as well as leveraging properly crafted email messages to orchestrate the C2 channel.
The malware, once executed, creates scheduled tasks for persistence, collects basic system data and registers with the C2. The C2 server now appears to leverage mail server code, with the backdoor communicating through specially crafted email messages. To initiate these C2 communications the malware first performs a DNS request to retrieve the server IP address, before creating a TLS connection through SMTP (via port 465) using the OpenSSL library. It then crafts the email message with the request string and any data to be sent to the C2. Then, to receive C2 responses the malware connects to the C2 server through the IMAP protocol (via port 993) using TLS. The message contents are decoded in order to extract any commands. The command codes are the same as the original version and give the malware a variety of functionalities, including retrieving executables, DLL files or shellcode from the C2.
“The discovery of this new Anchor variant adds a new stealthy backdoor for use during ransomware attacks and highlights the group’s commitment to upgrading its malware."
"AnchorMail is written in C++ and has so far only been observed targeting Windows systems,” said Charlotte Hammond, malware reverse engineer with IBM Security X-Force, in a Friday analysis. “However, as [Anchor] has been ported to Linux, it seems likely that a Linux-variant of AnchorMail may emerge too.”
The refurbished backdoor version comes as researchers report that the operators behind Trickbot - a trojan first identified in 2016 and primarily used for facilitating credential theft and banking fraud - are pivoting their focus to instead deploy stealthier malware families. While Trickbot has stayed active over the years - despite its servers being disrupted in 2020 by Microsoft and the U.S. Cyber Command - researchers said that starting Dec. 28 the botnet's activities halted. Researchers with Intel 471 in an analysis last week said these clues mean “it’s likely” that the operators behind the botnet may have phased out the Trickbot malware in favor of other platforms that it has historically worked with.
Trickbot has a number of relationships with other cybercrime groups and services, including Conti and Emotet; for instance, last year Trickbot was observed downloading and executing updated Emotet binaries. Beyond these partnerships, the operators have development ties to the Bazar malware family, which is used to gain an initial foothold into high-value targets and execute follow-up payloads.
"We have also seen the recent reports regarding Trickbot and while we can’t speculate on the group's intentions, we can see that the design of the Anchor Framework allows the malware to be used completely outside of the Trickbot infrastructure, so theoretically Anchor could be leveraged by any adversary to provide command and control (C2) capabilities," said Dwyer.