Financially-motivated threat actors continue to experiment with new malware families that often end up being used in combination with well-known Trojans such as TrickBot. The TrickBot banking Trojan is perceived as one of the most active cyber-threats of 2019, and it was used in attacks against point-of-sale devices belonging to various vendors around the world recently. What stands out about this recent campaign is that it involved the use of a malware family that was not seen previously – the threat works as a backdoor Trojan and relies on the DNS protocol to communicate with its Command and Control server. The threat has been given the name Anchor, and closer inspection of its source code revealed that it had been used in other attacks that happened in the last 12 months.
The Anchor Backdoor Relies on the DNS Protocol to Receive Commands
The Anchor backdoor is not special in terms of the features it supports certainly – it provides its operators with the basic abilities to execute remote commands, as well as to fetch files from a URL and execute them on the compromised host. However, there is one thing about the Anchor backdoor that makes it better than similar threats – it uses the DNS protocol to retrieve commands from the control server. This is one of the main motives why the Anchor backdoor managed to stay undetected for that long – DNS communications are filtered by firewall solutions and antivirus products rarely since this may often interfere with the connections used by legitimate software. By using the DNS protocol exclusively, the Anchor backdoor is able to function without generating noisy network traffic that would be easily spotted by automated tools.
One of the likely suspects behind the latest Trojan.TrickBot and Anchor campaign is FIN6, a financially motivated threat actor that is involved in attacks against point-of-sale devices worldwide regularly.
Financially motivated threat actors continue to defraud businesses of tens of millions of dollars each year. FIN6 is one of the most notorious cybercrime groups, but there are many others who are waiting for their chance to take the money of companies worldwide – it is important to protect your company network with the use of up-to-date and reputable computer security products.