Skip to content

S0504 Anchor

Anchor is one of a family of backdoor malware that has been used in conjunction with TrickBot on selected high profile targets since at least 2018.12

Item Value
ID S0504
Associated Names Anchor_DNS
Version 1.0
Created 10 September 2020
Last Modified 15 December 2021
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
Anchor_DNS 12

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Anchor has used HTTP and HTTPS in C2 communications.1
enterprise T1071.004 DNS Variants of Anchor can use DNS tunneling to communicate with C2.12
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Anchor has used cmd.exe to run its self deletion routine.1
enterprise T1059.004 Unix Shell Anchor can execute payloads via shell scripting.2
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service Anchor can establish persistence by creating a service.1
enterprise T1480 Execution Guardrails Anchor can terminate itself if specific execution flags are not present.1
enterprise T1008 Fallback Channels Anchor can use secondary C2 servers for communication after establishing connectivity and relaying victim information to primary C2 servers.1
enterprise T1564 Hide Artifacts -
enterprise T1564.004 NTFS File Attributes Anchor has used NTFS to hide files.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion Anchor can self delete its dropper after the malware is successfully deployed.1
enterprise T1105 Ingress Tool Transfer Anchor can download additional payloads.12
enterprise T1095 Non-Application Layer Protocol Anchor has used ICMP in C2 communications.1
enterprise T1027 Obfuscated Files or Information Anchor has obfuscated code with stack strings and string encryption.1
enterprise T1027.002 Software Packing Anchor has come with a packed payload.1
enterprise T1021 Remote Services -
enterprise T1021.002 SMB/Windows Admin Shares Anchor can support windows execution via SMB shares.2
enterprise T1053 Scheduled Task/Job -
enterprise T1053.003 Cron Anchor can install itself as a cron job.2
enterprise T1053.005 Scheduled Task Anchor can create a scheduled task for persistence.1
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing Anchor has been signed with valid certificates to evade detection by security tools.1
enterprise T1082 System Information Discovery Anchor can determine the hostname and linux version on a compromised host.2
enterprise T1016 System Network Configuration Discovery Anchor can determine the public IP and location of a compromised host.2
enterprise T1569 System Services -
enterprise T1569.002 Service Execution Anchor can create and execute services to load its payload.12