AnchorDNS (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

elf.anchor_dns (Back to overview)

AnchorDNS

Backdoor deployed by the TrickBot actors. It uses DNS as the command and control channel as well as for exfiltration of data.

References

2022-05-09 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT

2022-03-02 ⋅ Cyware ⋅ Cyware
TrickBot’s AnchorDNS is Now Upgraded to AnchorMail
AnchorDNS AnchorMail

2022-02-25 ⋅ IBM ⋅ Charlotte Hammond, Ole Villadsen
Trickbot Group’s AnchorDNS Backdoor Upgrades to AnchorMail
AnchorDNS AnchorMail

2021-07-28 ⋅ DomainTools ⋅ Chad Anderson
Finding AnchorDNS C2s With Iris Investigate
AnchorDNS

2021-05-11 ⋅ Mal-Eats ⋅ mal_eats
Campo, a New Attack Campaign Targeting Japan
AnchorDNS BazarBackdoor campoloader Cobalt Strike Phobos Snifula TrickBot Zloader

2021-05-10 ⋅ Mal-Eats ⋅ mal_eats
Overview of Campo, a new attack campaign targeting Japan
AnchorDNS BazarBackdoor Cobalt Strike ISFB Phobos TrickBot Zloader

2020-12-21 ⋅ Intezer ⋅ Intezer
Top Linux Cloud Threats of 2020
AgeLocker AnchorDNS Blackrota Cloud Snooper Dacls Doki FritzFrog IPStorm Kaiji Kinsing NOTROBIN Penquin Turla PLEAD Prometei RansomEXX Stantinko TeamTNT TSCookie WellMail elf.wellmess TeamTNT

2020-10-28 ⋅ CISA ⋅ CISA, FBI, HHS
AA20-302A: Ransomware Activity Targeting the Healthcare and Public Health Sector
AnchorDNS Anchor BazarBackdoor Ryuk

2020-10-26 ⋅ Arbor Networks ⋅ Suweera De Souza
Dropping the Anchor
AnchorDNS Anchor TrickBot

2020-07-13 ⋅ Stage 2 Security ⋅ Waylon Grange
Anchor_dns malware goes cross platform
AnchorDNS

2020-07-06 ⋅ NTT ⋅ Security division of NTT Ltd.
TrickBot variant “Anchor_DNS” communicating over DNS
AnchorDNS TrickBot

There is no Yara-Signature yet.