Just a few days after the TrickBot takedown, Netscout researchers noticed a brand new TrickBot Linux variant that was utilized by its operators.
Just a few days in the past, Microsoft’s Defender workforce, FS-ISAC, ESET, Lumen’s Black Lotus Labs, NTT, and Broadcom’s cyber-security division Symantec joined the forces and introduced a coordinated effort to take down the command and management infrastructure of the notorious TrickBot botnet.
Microsoft has taken down 120 of the 128 servers that have been composing the Trickbot infrastructure.
Microsoft introduced to have taken down 62 of the unique 69 TrickBot C&C servers, seven servers that might not be introduced down final week have been Web of Issues (IoT) units.
Microsoft additionally revealed that operators tried to renew the operations, The corporate introduced down 58 of the 59 servers the operators tried to carry on-line after the current takedown.
In response to a brand new report revealed by researchers from safety agency Netscout, TrickBot’s operators have began to make use of a brand new variant of their malware in an try to Linux programs and broaden the record of its targets.
TrickBot is a well-liked banking Trojan that has been round since October 2016, its authors have repeatedly upgraded it by implementing new options.
On the finish of 2019, researchers noticed a brand new TrickBot backdoor framework dubbed Anchor that was utilizing the DNS protocol for C2 communications.
Stage 2 Safety researcher Waylon Grange first noticed the brand new Linux variant of Anchor_DNS in July and referred to as it “Anchor_Linux.”
“The actors behind Trickbot, a excessive profile banking trojan, have not too long ago developed a Linux port of their new DNS command and management instrument generally known as Anchor_DNS.” defined Grange.
“Usually delivered as a part of a zipper, this malware is a light-weight Linux backdoor. Upon execution it installs itself as a cron job, determines the general public IP [address] for the host after which begins to beacon through DNS queries to its C2 server.”
Researchers from Netscout now revealed an evaluation of the variant detailing the communication stream between the bot and the C2 server.
The shopper sends “c2_command 0” to the server together with details about the compromised system and the bot ID, the server, in flip, responds with the message “sign /1/” again to the bot.
The contaminated host responds by sending the identical message again to the C2, which in flip sends the command to be executed by the bot. As soon as executed the command, the bot sends the results of the execution to the C2 server.
“The complexity of Anchor’s C2 communication and the payloads that the bot can execute replicate not solely a portion of the Trickbot actors’ appreciable capabilities, but additionally their means to continuously innovate, as evidenced by their transfer to Linux.” concludes the report. “You will need to notice that Trickbot operators aren’t the one adversaries to comprehend the worth of focusing on different operation programs”
Pierluigi Paganini
(SecurityAffairs – hacking, Trickbot)
Share On
trickbot analysis 2020,trickbot lateral movement