FIN6 and TrickBot Combine Forces in ‘Anchor’ Attacks

2020-04-07 16:57

Researchers say, two cybercriminal groups, FIN6 and the operators of the TrickBot malware, have paired up together to target several organizations with TrickBot's malware framework called "Anchor."

"That said, this development places more enterprises at risk of an attack from ITG08, particularly those processing credit card data, by enabling the group to access networks infected by the TrickBot Trojan. The attacks are likely initiated through malicious spam campaigns, which is how TrickBot is typically delivered. Once an enterprise is infected with the TrickBot Trojan, we expect that access, along with use of the Anchor and PowerTrick malware, are then sold to ITG08, which will then take over the intrusion into the victim network."

Two of the samples use the same RKey, which is used in part to encrypt communications with the C2. The campaign utilizing the Anchor malware finally used similar tactics, techniques and procedures as previous FIN6 campaigns, such as its targeting of PoS systems, researchers said: "Further clues connect ITG08 to TrickBot and its operators' other malware. Generally speaking, the tactics used to deploy More eggs in victim environments, as well as other threat actor tactics, techniques and procedures used during these Anchor campaigns, are unusually consistent with those used by ITG08," said Villadsen.

The operators behind TrickBot and IcedID started a collaboration in 2018 that eventually pulled TrickBot away from Necurs, said researchers.

Researchers say, FIN6's partnership with the TrickBot gang not only provides the cybercriminal group with new malware and potential access to enterprises infected with the TrickBot Trojan - it also reveals additional evidence of the group's strategy to partner with other threat actors and malware developers.

News URL

https://threatpost.com/fin6-and-trickbot-combine-forces-in-anchor-attacks/154508/

#attack #trickbot