Trick Bot malware infecting Linux devices

Trick Bot malware, a banking trojan that steals the sensitive information of the users, recently one of the module firmware of the Trick Bot dubbed as Anchor_DNS has been found infecting the Linux devices. In the recent framework, Trick bot malware infecting Linux devices

In recent years, Trick Bot malware has come up the upgraded version carrying out different illegal activities such as stealing personal information, sensitive credentials, domain infiltration and also as malware dropper.

Recently a researcher named Waylon from Stage2 Security discovered that the Anchor_DNS is now ported to a Linux version ‘Anchor_Linux.

From past some years, there has been an increase in the Linux malware that can also target IoT devices, routers, VPN devices and other devices running on Linux.

 Anchor_Linux TrickBot Malware

After research, it has been found that the Trick Bot malware can act as a backdoor to infect the Linux devices and also contains a Windows executable embedded in it.

trickbot-anchor-linux-framawork
Anchor linux framework

To infect the Windows devices the Anchor_Linux will copy the embedded executable file to the Windows devices on the same network using SMB and $IPC.

After copying the file, Anchor_Linux will configure it as Windows Service using the Service Control Manager Remote protocol and the SMB SVCCTL named pipe.

 Intezer found a sample of the Anchor_Linux and says that “Lightweight backdoor with the ability to spread to neighbouring Windows boxes using svcctl via SMB.”

When installed, Anchor_Linux will configure itself to run every minute using the following crontab entry, Kremez told BleepingComputer.

*/1 * * * * root [filename]

“The malware acts as a covert backdoor persistence tool in UNIX environment used as a pivot for Windows exploitation as well as used as an unorthodox initial attack vector outside of email phishing. It allows the group to target and infect servers in UNIX environment (such as routers) and use it to pivot to corporate networks,” Kremez told BleepingComputer

Trick bot malware

How to check if your system is infected by Anchor_Linux malware or not

According to the security researchers, Anchor_Linux leaves the log file /tmp/anchor.log try searching the location that the file exists or not. If there exists such file you have to run a security audit for the Anchor_Linux.

Researchers also believe that Trick Bot Anchor_Linux is still under development and in future, the upgraded version will be more dangerous.

Tell us in the comments how much you loved our article on trick bot malware infecting linux devices.

Satender Kumar

A tech Blogger always fascinated with the technology and gather as much amount of knowledge from the internet. Loves to share the knowledge with the others.

Leave a Reply

Your email address will not be published. Required fields are marked *