Dropping Anchor: From a TrickBot Infection to the Discovery of the Anchor Malware (Dec 11, 2019)
While monitoring a wave of targeted campaigns against financial, manufacturing, and retail businesses in October 2019, Cybereason researchers observed a new backdoor, dubbed “Anchor,”//big sentence, you could break it here// being used to target Point-of-Sale (PoS) systems of high-profile organizations in the United States and Europe. According to the researchers, Anchor has been in operation since August 2018 and appears to be related to TrickBot, and possibility created by the same individuals. The campaign begins with a phishing email to deliver the TrickBot downloader, masquerading as a Microsoft Word document, that when clicked downloads the TrickBot payload. TrickBot steals data, including the location of the victim and the master key to KeePass, and sends it to a hardcoded C2 server. If the information obtained points to a high value target, Anchor malware is downloaded, an incredibly stealthy backdoor that uses DNS tunneling for C2 communication. While Cybereason did not explicitly discuss attribution, the researchers made observations regarding similarities between techniques and tools used by cyber threat group FIN6 and these PoS campaigns.
Recommendation: All employees should be educated on the risks of phishing, specifically, how to identify such attempts and whom to contact if a phishing attack is identified. Emails that request that the recipient follow a link that then asks for credentials to be entered is often an indicator of a phishing attack. Additionally, customer-facing companies that store credit card data must actively defend against PoS threats and stay on top of industry compliance requirements and regulations. All PoS networks should be aggressively monitored for these types of threats.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.