S0504 Anchor
Anchor is one of a family of backdoor malware that has been used in conjunction with TrickBot on selected high profile targets since at least 2018.12
| Item | Value |
|---|---|
| ID | S0504 |
| Associated Names | Anchor_DNS |
| Type | MALWARE |
| Version | 1.1 |
| Created | 10 September 2020 |
| Last Modified | 04 December 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| Anchor_DNS | 12 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Anchor has used HTTP and HTTPS in C2 communications.1 |
| enterprise | T1071.004 | DNS | Variants of Anchor can use DNS tunneling to communicate with C2.12 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | Anchor has used cmd.exe to run its self deletion routine.1 |
| enterprise | T1059.004 | Unix Shell | Anchor can execute payloads via shell scripting.2 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | Anchor can establish persistence by creating a service.1 |
| enterprise | T1480 | Execution Guardrails | Anchor can terminate itself if specific execution flags are not present.1 |
| enterprise | T1008 | Fallback Channels | Anchor can use secondary C2 servers for communication after establishing connectivity and relaying victim information to primary C2 servers.1 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.004 | NTFS File Attributes | Anchor has used NTFS to hide files.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | Anchor can self delete its dropper after the malware is successfully deployed.1 |
| enterprise | T1105 | Ingress Tool Transfer | Anchor can download additional payloads.12 |
| enterprise | T1095 | Non-Application Layer Protocol | Anchor has used ICMP in C2 communications.1 |
| enterprise | T1027 | Obfuscated Files or Information | Anchor has obfuscated code with stack strings and string encryption.1 |
| enterprise | T1027.002 | Software Packing | Anchor has come with a packed payload.1 |
| enterprise | T1021 | Remote Services | - |
| enterprise | T1021.002 | SMB/Windows Admin Shares | Anchor can support windows execution via SMB shares.2 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.003 | Cron | Anchor can install itself as a cron job.2 |
| enterprise | T1053.005 | Scheduled Task | Anchor can create a scheduled task for persistence.1 |
| enterprise | T1553 | Subvert Trust Controls | - |
| enterprise | T1553.002 | Code Signing | Anchor has been signed with valid certificates to evade detection by security tools.1 |
| enterprise | T1082 | System Information Discovery | Anchor can determine the hostname and linux version on a compromised host.2 |
| enterprise | T1016 | System Network Configuration Discovery | Anchor can determine the public IP and location of a compromised host.2 |
| enterprise | T1569 | System Services | - |
| enterprise | T1569.002 | Service Execution | Anchor can create and execute services to load its payload.12 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0102 | Wizard Spider | 3 |
References
-
Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Grange, W. (2020, July 13). Anchor_dns malware goes cross platform. Retrieved September 10, 2020. ↩↩↩↩↩↩↩↩↩↩
-
Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023. ↩