SYMBOLCOMMON_NAMEaka. SYNONYMS
win.anchor (Back to overview)

Anchor

Actor(s): WIZARD SPIDER


Anchor is a sophisticated backdoor served as a module to a subset of TrickBot installations. Operating since August 2018 it is not delivered to everybody, but contrary is delivered only to high-profile targets. Since its C2 communication scheme is very similar to the one implemented in the early TrickBot, multiple experts believe it could be attributed to the same authors.

References
2020-05-19AlienLabsOfer Caspi
@online{caspi:20200519:trickbot:50c2a51, author = {Ofer Caspi}, title = {{TrickBot BazarLoader In-Depth}}, date = {2020-05-19}, organization = {AlienLabs}, url = {https://cybersecurity.att.com/blogs/labs-research/trickbot-bazarloader-in-depth}, language = {English}, urldate = {2020-05-20} } TrickBot BazarLoader In-Depth
Anchor BazarBackdoor TrickBot
2020-04-08SentinelOneJason Reaves
@online{reaves:20200408:deep:87b83bb, author = {Jason Reaves}, title = {{Deep Dive Into TrickBot Executor Module “mexec”: Hidden “Anchor” Bot Nexus Operations}}, date = {2020-04-08}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-hidden-anchor-bot-nexus-operations/}, language = {English}, urldate = {2020-04-13} } Deep Dive Into TrickBot Executor Module “mexec”: Hidden “Anchor” Bot Nexus Operations
Anchor TrickBot
2020-04-07SecurityIntelligenceOle Villadsen
@online{villadsen:20200407:itg08:b0b782d, author = {Ole Villadsen}, title = {{ITG08 (aka FIN6) Partners With TrickBot Gang, Uses Anchor Framework}}, date = {2020-04-07}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/}, language = {English}, urldate = {2020-04-13} } ITG08 (aka FIN6) Partners With TrickBot Gang, Uses Anchor Framework
More_eggs Anchor TrickBot
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-03-04} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Judgment Panda Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2019-12-11CybereasonAssaf Dahan, Lior Rochberger, Eli Salem, Mary Zhao, Niv Yona, Omer Yampel, Matt Hart
@online{dahan:20191211:dropping:0849f70, author = {Assaf Dahan and Lior Rochberger and Eli Salem and Mary Zhao and Niv Yona and Omer Yampel and Matt Hart}, title = {{Dropping Anchor: From a TrickBot Infection to the Discovery of the Anchor Malware}}, date = {2019-12-11}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware}, language = {English}, urldate = {2020-01-06} } Dropping Anchor: From a TrickBot Infection to the Discovery of the Anchor Malware
Anchor WIZARD SPIDER
2019-12-10Sentinel LABSVitali Kremez, Joshua Platt, Jason Reaves
@online{kremez:20191210:morphisec:c0fc51c, author = {Vitali Kremez and Joshua Platt and Jason Reaves}, title = {{MORPHISEC DISCOVERS CCLEANER BACKDOOR SAVING MILLIONS OF AVAST USERS}}, date = {2019-12-10}, organization = {Sentinel LABS}, url = {https://labs.sentinelone.com/the-deadly-planeswalker-how-the-trickbot-group-united-high-tech-crimeware-apt/}, language = {English}, urldate = {2020-01-08} } MORPHISEC DISCOVERS CCLEANER BACKDOOR SAVING MILLIONS OF AVAST USERS
Anchor
2019-10-18NTTNTT Security
@online{security:20191018:trickbot:6e2f73f, author = {NTT Security}, title = {{TrickBot variant “Anchor_DNS” communicating over DNS}}, date = {2019-10-18}, organization = {NTT}, url = {https://technical.nttsecurity.com/post/102fsp2/trickbot-variant-anchor-dns-communicating-over-dns}, language = {English}, urldate = {2020-01-10} } TrickBot variant “Anchor_DNS” communicating over DNS
Anchor
Yara Rules
[TLP:WHITE] win_anchor_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_anchor_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.anchor"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 740c 66c740016578 c6400365 eb0a 66c74001646c }
            // n = 5, score = 800
            //   740c                 | dec                 eax
            //   66c740016578         | lea                 edx, [0x17aa1]
            //   c6400365             | dec                 eax
            //   eb0a                 | lea                 ecx, [0x17caa]
            //   66c74001646c         | xor                 eax, eax

        $sequence_1 = { 8d85c8fdffff 6805010000 50 e8???????? 83c40c 68???????? ffd6 }
            // n = 7, score = 600
            //   8d85c8fdffff         | lea                 ecx, [esp + 0x68]
            //   6805010000           | jmp                 0xd
            //   50                   | int3                
            //   e8????????           |                     
            //   83c40c               | inc                 eax
            //   68????????           |                     
            //   ffd6                 | mov                 al, bh

        $sequence_2 = { 8b4620 6689500c 8b4620 6689780e }
            // n = 4, score = 600
            //   8b4620               | mov                 word ptr [eax + 1], 0x6c64
            //   6689500c             | je                  0x2c
            //   8b4620               | mov                 word ptr [eax + 1], 0x7865
            //   6689780e             | mov                 byte ptr [eax + 3], 0x65

        $sequence_3 = { b001 5d c3 e9???????? 6a0c }
            // n = 5, score = 600
            //   b001                 | mov                 byte ptr [eax + 3], 0x6c
            //   5d                   | mov                 byte ptr [eax + 3], 0x65
            //   c3                   | jmp                 0x5c
            //   e9????????           |                     
            //   6a0c                 | mov                 word ptr [eax + 1], 0x6c64

        $sequence_4 = { 8d8dbcfeffff e8???????? 56 8d8dbcfeffff e8???????? 68???????? }
            // n = 6, score = 600
            //   8d8dbcfeffff         | inc                 ecx
            //   e8????????           |                     
            //   56                   | mov                 dl, ah
            //   8d8dbcfeffff         | dec                 eax
            //   e8????????           |                     
            //   68????????           |                     

        $sequence_5 = { b101 e8???????? e8???????? 84c0 }
            // n = 4, score = 600
            //   b101                 | mov                 word ptr [eax + 1], 0x7865
            //   e8????????           |                     
            //   e8????????           |                     
            //   84c0                 | mov                 byte ptr [eax + 3], 0x65

        $sequence_6 = { 6689500e 8b4638 66897810 8b4638 5f 66894812 33c9 }
            // n = 7, score = 600
            //   6689500e             | je                  0xe
            //   8b4638               | mov                 word ptr [eax + 1], 0x7865
            //   66897810             | mov                 byte ptr [eax + 3], 0x65
            //   8b4638               | jmp                 0x16
            //   5f                   | mov                 word ptr [eax + 1], 0x7865
            //   66894812             | mov                 byte ptr [eax + 3], 0x65
            //   33c9                 | jmp                 0x22

        $sequence_7 = { 660f6ec0 f30fe6c0 f20f5e05???????? f20f5905???????? e8???????? 05e0930400 50 }
            // n = 7, score = 600
            //   660f6ec0             | lea                 eax, [ebp - 0x114]
            //   f30fe6c0             | mov                 byte ptr [ebp - 4], 3
            //   f20f5e05????????     |                     
            //   f20f5905????????     |                     
            //   e8????????           |                     
            //   05e0930400           | push                eax
            //   50                   | lea                 ecx, [ebp - 0x144]

        $sequence_8 = { c1e102 51 6a00 50 a3???????? }
            // n = 5, score = 600
            //   c1e102               | jmp                 0x36
            //   51                   | mov                 word ptr [eax + 1], 0x6c64
            //   6a00                 | mov                 byte ptr [eax + 3], 0x6c
            //   50                   | mov                 word ptr [eax + 1], 0x7865
            //   a3????????           |                     

        $sequence_9 = { 7509 33d2 33c9 e8???????? }
            // n = 4, score = 400
            //   7509                 | jne                 0xb
            //   33d2                 | xor                 edx, edx
            //   33c9                 | xor                 ecx, ecx
            //   e8????????           |                     

        $sequence_10 = { 760c c785f400000001000000 eb0a c785f400000000000000 0fb685f4000000 884504 }
            // n = 6, score = 200
            //   760c                 | dec                 eax
            //   c785f400000001000000     | lea    edi, [0x112d0]
            //   eb0a                 | dec                 eax
            //   c785f400000000000000     | cmp    ebx, edi
            //   0fb685f4000000       | jbe                 0x11
            //   884504               | mov                 dword ptr [ebp + 0xf4], 1

        $sequence_11 = { 488b4508 488b8d88000000 48894808 eb23 488b4508 }
            // n = 5, score = 200
            //   488b4508             | jmp                 0x16
            //   488b8d88000000       | mov                 dword ptr [ebp + 0xf4], 0
            //   48894808             | movzx               eax, byte ptr [ebp + 0xf4]
            //   eb23                 | mov                 byte ptr [ebp + 4], al
            //   488b4508             | dec                 eax

        $sequence_12 = { 57 4883ec20 488d1d0f100100 488d3dd0120100 483bdf }
            // n = 5, score = 200
            //   57                   | push                edi
            //   4883ec20             | dec                 eax
            //   488d1d0f100100       | sub                 esp, 0x20
            //   488d3dd0120100       | dec                 eax
            //   483bdf               | lea                 ebx, [0x1100f]

        $sequence_13 = { ff15???????? 85c0 7443 8b442440 85c0 743b }
            // n = 6, score = 200
            //   ff15????????         |                     
            //   85c0                 | mov                 word ptr [eax + 1], 0x6c64
            //   7443                 | mov                 cl, 1
            //   8b442440             | test                al, al
            //   85c0                 | jne                 0x1b
            //   743b                 | xor                 edx, edx

        $sequence_14 = { c745dc6f723030 66c745e03100 48c741180f000000 8801 }
            // n = 4, score = 200
            //   c745dc6f723030       | jmp                 0x36
            //   66c745e03100         | mov                 word ptr [eax + 1], 0x6c64
            //   48c741180f000000     | mov                 byte ptr [eax + 3], 0x6c
            //   8801                 | je                  0x44

        $sequence_15 = { ba00010000 488d4d30 ff15???????? 85c0 0f8457020000 }
            // n = 5, score = 200
            //   ba00010000           | mov                 eax, dword ptr [ebp + 0x2e8]
            //   488d4d30             | dec                 eax
            //   ff15????????         |                     
            //   85c0                 | mov                 edx, dword ptr [ebp + 0x2e0]
            //   0f8457020000         | dec                 eax

        $sequence_16 = { 488d5590 488d8db0030000 e8???????? 8364245000 488d442450 }
            // n = 5, score = 200
            //   488d5590             | xor                 ecx, ecx
            //   488d8db0030000       | mov                 dword ptr [ebp - 0x24], 0x3030726f
            //   e8????????           |                     
            //   8364245000           | mov                 word ptr [ebp - 0x20], 0x31
            //   488d442450           | dec                 eax

        $sequence_17 = { 48c744242000000000 41b937000000 4c8d05b82e0100 488d15a17a0100 488d0daa7c0100 ff15???????? 33c0 }
            // n = 7, score = 200
            //   48c744242000000000     | mov    dword ptr [eax + 8], ecx
            //   41b937000000         | jmp                 0x34
            //   4c8d05b82e0100       | dec                 eax
            //   488d15a17a0100       | mov                 eax, dword ptr [ebp + 8]
            //   488d0daa7c0100       | je                  0x2fb
            //   ff15????????         |                     
            //   33c0                 | dec                 esp

        $sequence_18 = { 0f84f5020000 4c8b85e8020000 488b95e0020000 488b8da8000000 e8???????? }
            // n = 5, score = 200
            //   0f84f5020000         | mov                 eax, dword ptr [ebp + 8]
            //   4c8b85e8020000       | dec                 eax
            //   488b95e0020000       | mov                 ecx, dword ptr [ebp + 0x88]
            //   488b8da8000000       | dec                 eax
            //   e8????????           |                     

        $sequence_19 = { 488d15eee60100 488d4def e8???????? 4c8bce 4533c0 488bd3 }
            // n = 6, score = 200
            //   488d15eee60100       | mov                 word ptr [eax + 1], 0x6c64
            //   488d4def             | mov                 byte ptr [eax + 3], 0x6c
            //   e8????????           |                     
            //   4c8bce               | mov                 word ptr [eax + 1], 0x7865
            //   4533c0               | mov                 byte ptr [eax + 3], 0x65
            //   488bd3               | jmp                 0x10

        $sequence_20 = { 90 488b8d90010000 e8???????? 488b9598010000 }
            // n = 4, score = 200
            //   90                   | mov                 ecx, dword ptr [ebp + 0xa8]
            //   488b8d90010000       | dec                 eax
            //   e8????????           |                     
            //   488b9598010000       | mov                 dword ptr [esp + 0x20], 0

        $sequence_21 = { 5d c3 488bc4 55 4156 4157 488d68a1 }
            // n = 7, score = 200
            //   5d                   | mov                 word ptr [eax + 1], 0x7865
            //   c3                   | mov                 byte ptr [eax + 3], 0x65
            //   488bc4               | jmp                 0x4e
            //   55                   | mov                 word ptr [eax + 1], 0x6c64
            //   4156                 | mov                 byte ptr [eax + 3], 0x6c
            //   4157                 | mov                 byte ptr [eax + 3], 0x65
            //   488d68a1             | jmp                 0x5e

    condition:
        7 of them and filesize < 778240
}
[TLP:WHITE] win_anchor_w0   (20200413 | For x86 Anchor)
rule win_anchor_w0 {
    meta:
        author = "Jason Reaves"
        description = "For x86 Anchor"
        source = "https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-hidden-anchor-bot-nexus-operations/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.anchor"
        malpedia_version = "20200413"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $a1 = "/1001/" ascii wide
        $a2 = ":$GUID" ascii wide
        $a3 = ":$TASK" ascii wide
        $ua = "WinHTTP loader/1.0" ascii wide
        $hexlify = {0f be ?? ?? b8 f0 00 00 00 0f 45 ?? 8b ?? c1 e1 02 23 d0}
        $sdecode = {8a 04 0a 0f be c0 83 e8 ?? 88 04 0a 42 83}
        $xor_data = {80 b4 05 ?? ?? ff ff ?? 40 3b c6}

    condition:
        3 of them
}
[TLP:WHITE] win_anchor_w1   (20200413 | For x64 Anchor)
rule win_anchor_w1 {
    meta:
        author = "Jason Reaves"
        description = "For x64 Anchor"
        source = "https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-hidden-anchor-bot-nexus-operations/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.anchor"
        malpedia_version = "20200413"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $xor_data = {80 ?4 0? ?? ?? 48 ?? c? 48}
        $hexlify = {81 c1 f0 00 00 00 23 d1 41 8? ?? c1 e1 02}
        $a1 = "/1001/" ascii wide
        $a2 = ":$GUID" ascii wide
        $a3 = ":$TASK" ascii wide
        $ua = "WinHTTP loader/1.0" ascii wide

    condition:
       3 of them
}
Download all Yara Rules