Linux users, beware: TrickBot malware is no longer Windows-exclusive

Linux customers, beware: TrickBot malware is not Home windows-exclusive

(Picture credit score: Pixabay)

The creators of the TrickBot have as soon as once more up to date their malware with new performance and now it may possibly goal Linux units by its new DNS command and management software Anchor_DNS.

Whereas TrickBot initially began out as a banking trojan, the malware has developed to carry out different malicious behaviors together with spreading laterally by a community, stealing saved credentials in browsers, stealing cookies, checking a device’s screen resolution and now infecting Linux in addition to Home windows units.

TrickBot can be malware-as-a-service and cybercriminals hire entry to it as a way to infiltrate networks and steal precious information. As soon as that is performed, they then use it to deploy ransomware similar to Ryuk and Conti as a way to encrypt units on the community as the ultimate stage of their assault.

On the finish of final 12 months, SentinelOne and NTT reported {that a} new TrickBot framework known as anchor makes use of DNS to speak with its C&C servers. Anchor_DNS is used to launch assaults towards high-value and high-impact targets that posses precious monetary data. The TrickBot Anchor will also be used as a backdoor in APT-like campaigns which goal each point-of-sale and monetary programs.


Up till now, Anchor has been a Home windows malware however Stage 2 Safety researcher Waylon Grange found a brand new pattern which reveals that Anchor_DNS has been ported to a brand new Linux backdoor model known as ‘Anchor_Linux’.

Along with performing as a backdoor that can be utilized to drop and run malware on Linux units, the malware additionally accommodates and embedded Home windows TrickBot executable that can be utilized to contaminate Home windows machines on the identical community.

As soon as copied to a Home windows gadget, Anchor_Linux then configures itself as a Home windows service. After configuration, the malware is tarted on the Home windows host and it connects again to an attacker’s C&C server the place it receives instructions to execute.

The truth that TrickBot has been ported to Linux is very worrying since many IoT units together with routers, VPN units and NAS units run on Linux. Involved Linux customers can discover out if they’ve been contaminated by in search of a log file at /tmp/anchor.go surfing their programs. If this file is discovered, customers ought to carry out an entire audit of their programs to seek for the Anchor_Linux malware.

  • We have additionally highlighted the best antivirus software program

Through BleepingComputer

Read More