Linux users, beware: TrickBot malware is no longer Windows-exclusive

The creators of the TrickBot have once once more up-to-date their malware with new features and now it can goal Linux units as a result of its new DNS command and handle tool Anchor_DNS.

Even though TrickBot initially begun out as a banking trojan, the malware has evolved to perform other destructive behaviors including spreading laterally as a result of a community, thieving saved credentials in browsers, thieving cookies, checking a device’s display resolution and now infecting Linux as very well as Windows units.

TrickBot is also malware-as-a-company and cybercriminals hire entry to it in order to infiltrate networks and steal valuable facts. At the time this is finished, they then use it to deploy ransomware these as Ryuk and Conti in order to encrypt units on the community as the last stage of their attack.

At the finish of very last year, SentinelOne and NTT reported that a new TrickBot framework termed anchor works by using DNS to communicate with its C&C servers. Anchor_DNS is used to launch assaults towards substantial-worth and substantial-affect targets that posses valuable fiscal facts. The TrickBot Anchor can also be used as a backdoor in APT-like strategies which goal each position-of-sale and fiscal techniques.


Up until eventually now, Anchor has been a Windows malware but Phase two Stability researcher Waylon Grange identified a new sample which reveals that Anchor_DNS has been ported to a new Linux backdoor model termed ‘Anchor_Linux’.

In addition to performing as a backdoor that can be used to drop and operate malware on Linux units, the malware also is made up of and embedded Windows TrickBot executable that can be used to infect Windows devices on the very same community.

At the time copied to a Windows product, Anchor_Linux then configures by itself as a Windows company. Right after configuration, the malware is tarted on the Windows host and it connects back to an attacker’s C&C server where it gets commands to execute.

The simple fact that TrickBot has been ported to Linux is in particular stressing considering that several IoT units including routers, VPN units and NAS units operate on Linux. Worried Linux people can uncover out if they have been infected by wanting for a log file at /tmp/anchor.log on their techniques. If this file is discovered, people need to perform a entire audit of their techniques to look for for the Anchor_Linux malware.

By using BleepingComputer