S0504 Anchor
Anchor is one of a family of backdoor malware that has been used in conjunction with TrickBot on selected high profile targets since at least 2018.12
| Item | Value |
|---|---|
| ID | S0504 |
| Associated Names | Anchor_DNS |
| Type | MALWARE |
| Version | 1.0 |
| Created | 10 September 2020 |
| Last Modified | 15 December 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| Anchor_DNS | 12 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Anchor has used HTTP and HTTPS in C2 communications.1 |
| enterprise | T1071.004 | DNS | Variants of Anchor can use DNS tunneling to communicate with C2.12 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | Anchor has used cmd.exe to run its self deletion routine.1 |
| enterprise | T1059.004 | Unix Shell | Anchor can execute payloads via shell scripting.2 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | Anchor can establish persistence by creating a service.1 |
| enterprise | T1480 | Execution Guardrails | Anchor can terminate itself if specific execution flags are not present.1 |
| enterprise | T1008 | Fallback Channels | Anchor can use secondary C2 servers for communication after establishing connectivity and relaying victim information to primary C2 servers.1 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.004 | NTFS File Attributes | Anchor has used NTFS to hide files.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | Anchor can self delete its dropper after the malware is successfully deployed.1 |
| enterprise | T1105 | Ingress Tool Transfer | Anchor can download additional payloads.12 |
| enterprise | T1095 | Non-Application Layer Protocol | Anchor has used ICMP in C2 communications.1 |
| enterprise | T1027 | Obfuscated Files or Information | Anchor has obfuscated code with stack strings and string encryption.1 |
| enterprise | T1027.002 | Software Packing | Anchor has come with a packed payload.1 |
| enterprise | T1021 | Remote Services | - |
| enterprise | T1021.002 | SMB/Windows Admin Shares | Anchor can support windows execution via SMB shares.2 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.003 | Cron | Anchor can install itself as a cron job.2 |
| enterprise | T1053.005 | Scheduled Task | Anchor can create a scheduled task for persistence.1 |
| enterprise | T1553 | Subvert Trust Controls | - |
| enterprise | T1553.002 | Code Signing | Anchor has been signed with valid certificates to evade detection by security tools.1 |
| enterprise | T1082 | System Information Discovery | Anchor can determine the hostname and linux version on a compromised host.2 |
| enterprise | T1016 | System Network Configuration Discovery | Anchor can determine the public IP and location of a compromised host.2 |
| enterprise | T1569 | System Services | - |
| enterprise | T1569.002 | Service Execution | Anchor can create and execute services to load its payload.12 |