Trojan TrickBot Anchor Malware Found In Linux


TrickBot, a multi-purpose Windows malware, has evolved as one of the reliable backdoors for several other payloads. In a recent report, a researcher found that TrickBot’s Anchor malware is now present with a new Linux version.


The Trickbot trojan can use either of two techniques to trick the user into unwittingly giving away their login credentials:


  • The first technique (known as a static injection) involves replacing the banking site's legitimate login page with a fake one that looks almost exactly like it.
  • The second technique (known as a dynamic injection) redirects the web browser to a server under the trojan's operator's control whenever the user enters the URLs for the targeted banking sites.


In either case, if the user enters their login details on the fake page, the information is captured and sent to the operators. The stolen data may then be used to commit financial fraud.


How it attacks?

According to researchers, the malware acts as a covert backdoor persistence tool in the UNIX environment that lets the malware pivot to Windows. Many IoT devices like routers, computers, VPN devices, and NAS devices running Linux distributions could potentially be affected by  TrickBot’s Anchor_Linux malware.


A log file (/tmp/anchor.log) existence on a Linux system is proof that the user is infected by the Anchor_Linux malware. The module "allows the actors — potential TrickBot customers — to leverage this framework against higher-profile victims, said SentinelOne, adding the "ability to seamlessly integrate the APT into a monetization business model is evidence of a quantum shift."


IBM X-Force spotted new cyberattacks earlier this April revealing collaboration between FIN6 and TrickBot groups to deploy the Anchor framework against organizations for financial profit. But a new sample uncovered by Stage 2 Security researcher Waylon Grange in July found that Anchor_DNS has been ported to a new Linux backdoor version called "Anchor_Linux."



Anchor_Linux infects both Linux and Windows systems on the same network. The malware first infects Linux systems and can travel to Windows machines. Earlier this malware was affecting only the windows environment but it has reached to Linux environment also.


Lately, Linux ports are discovered with anchor_Linux malware.  It is rented by threat actors who steal or access the user’s data illegally. It is then used to deploy ransomware such as Ryuk and Conti to encrypt the network's devices as a final attack.


The flow of communication between the bot and the C2 server:

  • The client sends “c2_command 0” to the server along with information about the compromised system and the bot ID.
  • The server then responds with the message “signal /1/” back to the bot.
  • The bot sends the same message back to the C2 with the information.
  • The server remotely issues the command to be executed on the client.
  • Finally, the bot sends back the result of the execution to the C2 server.





  • Identify the infected machine(s): If you have unprotected endpoints/machines, you can run Farbar Recovery Scan Tool (FRST) to look for possible Indicators of Compromise (IOC). Besides verifying an infection, FRST can also be used to verify removal before bringing an endpoint/machine back into the network.
  • Disconnect the infected machines from the network: Do not connect the system to the unrecognized open networks.
  • Disable Administrative Shares: Windows server shares by default install hidden share folders specifically for administrative access to other machines. The Admin shares are used by Trickbot once it has brute- forced the local administrator password. These AdminIP shares are normally protected via UAC, however, Windows will allow the local administrator through with no prompt.
  • Remove the Trickbot Trojan: Use tools like Malwarebytes Endpoint Protection to remove the trickbot trojan from the machine.
  • Change account credentials: Manage to change credentials occasionally to prevent unauthorized access to your personal information in case of the leak.