TrickBot Malware Gang Upgrades its AnchorDNS Backdoor to AnchorMail

2022-03-01 08:12

Even as the TrickBot infrastructure closed shop, the operators of the malware are continuing to refine and retool their arsenal to carry out attacks that culminated in the deployment of Conti ransomware.

IBM Security X-Force, which discovered the revamped version of the criminal gang's AnchorDNS backdoor, dubbed the new, upgraded variant AnchorMail.

AnchorMail "Uses an email-based server which it communicates with using SMTP and IMAP protocols over TLS," IBM's malware reverse engineer, Charlotte Hammond, said.

The cybercrime actor behind TrickBot, ITG23 aka Wizard Spider, is also known for its development of the Anchor malware framework, a backdoor reserved for targeting selected high value victims since at least 2018 via TrickBot and BazarBackdoor, an additional implant engineered by the same group.

Over the years, the group has also benefited from a symbiotic relationship with the Conti ransomware cartel, with the latter leveraging TrickBot and BazarLoader payloads to gain a foothold for deploying the file-encrypting malware.

Less than 10 days later, the TrickBot actors shut down their botnet infrastructure after an unusual two-month-long hiatus in the malware distribution campaigns, marking a pivot that's likely to channel their efforts on stealthier malware families such as BazarBackdoor.

News URL

https://thehackernews.com/2022/03/trickbot-malware-gang-upgrades-its.html

#backdoor #malware #trickbot #upgrade