TrickBot Malware Gets New Linux Variant to Infect Both Windows and Linux Systems

TrickBot, a backdoor-type malware which is specialized in infecting Windows, has now got a new Linux version. Researchers found the new TrickBot’s Anchor_Linux malware, which comes along with a Windows payload to spread across networks to infect both Linux and Windows systems.

TrickBot Malware Gets New Linux Variant!

Source: SentinelOne
Source: SentinelOne

TrickBot platform has grown as one of the reliable malwares for backdoor settings. The botnet it forms is leveraged by many known ransomware groups like Ryuk and Conti, for dumping their payloads to encrypt the systems. This malware on its own is used for several purposes like stealing sensitive data like passwords, windows domain infiltration and setting backdoors for delivering payloads of third party hackers.

Now, as per a new sample detected by Waylon Grange from Stage 2 Security reveals the TrickBot’s Anchor malware is having a new Linux based version, which is targeted at high-profile and sensitive targets for valuable information. Named as TrickBot Anchor_Linux, this new ported malware also contains the Windows executable file for breaching Windows machines too.

Anchor_linux Malware
Anchor_linux Malware

After exploiting any vulnerability in targeted Linux machine, the Windows executable malware within TrickBot’s Anchor_Linux is configured through SMB SVCCTL and Service Control Manager Remote Protocol. This helps the executable to unpack and divert from Linux malware and spread to Windows systems in the same network.

After gaining persistence and planting backdoor, it then uses the DNS protocol, as reported by SentinelOne and NTT to communicate with the hacker’s C2 server. The general commands received would be to on-board a new payload (probably a ransomware malware) or steal data on the Infected system.

Statistics tell that there are a significant number of devices using Linux as a base, like routers, VPNs, NAS devices and other IoT gadgets. All these running on Linux could be targeted by TrickBot to form a wide botnet, which would be used for potential DDoS attacks or other malicious purposes.

If you’re using a Linux system and want to know if you’re infected, check for tmp/anchor.log file in your computer. This will be placed by Anchor_Linux as their footprint, and also used for confirmation. And if found, scan for possible backdoors and close the unused RDP ports to patch.

Other Trending News:-  News


Please enter your comment!
Please enter your name here