Linux users, beware: TrickBot malware is no longer Windows-exclusive

Jeffrey Cuebas

The creators of the TrickBot have as soon as once again current their malware with new operation and now it can focus on Linux gadgets via its new DNS command and regulate instrument Anchor_DNS.

When TrickBot originally commenced out as a banking trojan, the malware has progressed to accomplish other destructive behaviors which include spreading laterally via a community, stealing saved qualifications in browsers, stealing cookies, checking a device’s screen resolution and now infecting Linux as very well as Windows gadgets.

TrickBot is also malware-as-a-service and cybercriminals hire obtain to it in purchase to infiltrate networks and steal precious knowledge. After this is accomplished, they then use it to deploy ransomware this kind of as Ryuk and Conti in purchase to encrypt gadgets on the community as the last stage of their assault.

At the conclude of past year, SentinelOne and NTT reported that a new TrickBot framework referred to as anchor makes use of DNS to talk with its C&C servers. Anchor_DNS is utilized to start assaults towards significant-benefit and significant-impact targets that posses precious monetary information. The TrickBot Anchor can also be utilized as a backdoor in APT-like campaigns which focus on both point-of-sale and monetary systems.


Up till now, Anchor has been a Windows malware but Stage two Safety researcher Waylon Grange uncovered a new sample which displays that Anchor_DNS has been ported to a new Linux backdoor model referred to as ‘Anchor_Linux’.

In addition to acting as a backdoor that can be utilized to drop and run malware on Linux gadgets, the malware also has and embedded Windows TrickBot executable that can be utilized to infect Windows equipment on the exact same community.

After copied to a Windows device, Anchor_Linux then configures itself as a Windows service. Immediately after configuration, the malware is tarted on the Windows host and it connects back to an attacker’s C&C server where it gets commands to execute.

The actuality that TrickBot has been ported to Linux is in particular worrying because quite a few IoT gadgets which include routers, VPN gadgets and NAS gadgets run on Linux. Anxious Linux people can locate out if they have been infected by seeking for a log file at /tmp/anchor.log on their systems. If this file is discovered, people ought to accomplish a finish audit of their systems to look for for the Anchor_Linux malware.

Through BleepingComputer

Next Post

Android malware posing as Covid-19 contact tracing apps

As nations around the world all over the earth started off giving Covid-19 get hold of tracing apps to their citizens, cybercriminals applied this to their edge to distribute Android malware, in accordance to a new report from EclecticIQ and ThreatFabric. Scientists from equally providers as perfectly other folks recognized […]