SYMBOLCOMMON_NAMEaka. SYNONYMS
win.anchor (Back to overview)

Anchor

Actor(s): WIZARD SPIDER


Anchor is a sophisticated backdoor served as a module to a subset of TrickBot installations. Operating since August 2018 it is not delivered to everybody, but contrary is delivered only to high-profile targets. Since its C2 communication scheme is very similar to the one implemented in the early TrickBot, multiple experts believe it could be attributed to the same authors.

References
2020-10-29Palo Alto Networks Unit 42Brittany Barbehenn, Doel Santos, Brad Duncan
@online{barbehenn:20201029:threat:de33a6d, author = {Brittany Barbehenn and Doel Santos and Brad Duncan}, title = {{Threat Assessment: Ryuk Ransomware and Trickbot Targeting U.S. Healthcare and Public Health Sector}}, date = {2020-10-29}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/ryuk-ransomware/}, language = {English}, urldate = {2020-11-02} } Threat Assessment: Ryuk Ransomware and Trickbot Targeting U.S. Healthcare and Public Health Sector
Anchor BazarBackdoor Ryuk TrickBot
2020-10-28CISACISA, FBI, HHS
@techreport{cisa:20201028:aa20302a:80b6a06, author = {CISA and FBI and HHS}, title = {{AA20-302A: Ransomware Activity Targeting the Healthcare and Public Health Sector}}, date = {2020-10-28}, institution = {CISA}, url = {https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf}, language = {English}, urldate = {2020-11-02} } AA20-302A: Ransomware Activity Targeting the Healthcare and Public Health Sector
Anchor_DNS Anchor BazarBackdoor Ryuk
2020-10-26Arbor NetworksSuweera De Souza
@online{souza:20201026:dropping:8ac1e1d, author = {Suweera De Souza}, title = {{Dropping the Anchor}}, date = {2020-10-26}, organization = {Arbor Networks}, url = {https://www.netscout.com/blog/asert/dropping-anchor}, language = {English}, urldate = {2020-10-29} } Dropping the Anchor
Anchor_DNS Anchor TrickBot
2020-05-19AlienLabsOfer Caspi
@online{caspi:20200519:trickbot:50c2a51, author = {Ofer Caspi}, title = {{TrickBot BazarLoader In-Depth}}, date = {2020-05-19}, organization = {AlienLabs}, url = {https://cybersecurity.att.com/blogs/labs-research/trickbot-bazarloader-in-depth}, language = {English}, urldate = {2020-05-20} } TrickBot BazarLoader In-Depth
Anchor BazarBackdoor TrickBot
2020-04-08SentinelOneJason Reaves
@online{reaves:20200408:deep:87b83bb, author = {Jason Reaves}, title = {{Deep Dive Into TrickBot Executor Module “mexec”: Hidden “Anchor” Bot Nexus Operations}}, date = {2020-04-08}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-hidden-anchor-bot-nexus-operations/}, language = {English}, urldate = {2020-04-13} } Deep Dive Into TrickBot Executor Module “mexec”: Hidden “Anchor” Bot Nexus Operations
Anchor TrickBot
2020-04-07SecurityIntelligenceOle Villadsen
@online{villadsen:20200407:itg08:b0b782d, author = {Ole Villadsen}, title = {{ITG08 (aka FIN6) Partners With TrickBot Gang, Uses Anchor Framework}}, date = {2020-04-07}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/}, language = {English}, urldate = {2020-04-13} } ITG08 (aka FIN6) Partners With TrickBot Gang, Uses Anchor Framework
More_eggs Anchor TrickBot
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2019-12-11CybereasonAssaf Dahan, Lior Rochberger, Eli Salem, Mary Zhao, Niv Yona, Omer Yampel, Matt Hart
@online{dahan:20191211:dropping:0849f70, author = {Assaf Dahan and Lior Rochberger and Eli Salem and Mary Zhao and Niv Yona and Omer Yampel and Matt Hart}, title = {{Dropping Anchor: From a TrickBot Infection to the Discovery of the Anchor Malware}}, date = {2019-12-11}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware}, language = {English}, urldate = {2020-01-06} } Dropping Anchor: From a TrickBot Infection to the Discovery of the Anchor Malware
Anchor WIZARD SPIDER
2019-12-10Sentinel LABSVitali Kremez, Joshua Platt, Jason Reaves
@online{kremez:20191210:morphisec:c0fc51c, author = {Vitali Kremez and Joshua Platt and Jason Reaves}, title = {{MORPHISEC DISCOVERS CCLEANER BACKDOOR SAVING MILLIONS OF AVAST USERS}}, date = {2019-12-10}, organization = {Sentinel LABS}, url = {https://labs.sentinelone.com/the-deadly-planeswalker-how-the-trickbot-group-united-high-tech-crimeware-apt/}, language = {English}, urldate = {2020-01-08} } MORPHISEC DISCOVERS CCLEANER BACKDOOR SAVING MILLIONS OF AVAST USERS
Anchor
2019-10-18NTTNTT Security
@online{security:20191018:trickbot:6e2f73f, author = {NTT Security}, title = {{TrickBot variant “Anchor_DNS” communicating over DNS}}, date = {2019-10-18}, organization = {NTT}, url = {https://hello.global.ntt/zh-cn/insights/blog/trickbot-variant-communicating-over-dns}, language = {English}, urldate = {2020-10-12} } TrickBot variant “Anchor_DNS” communicating over DNS
Anchor
Yara Rules
[TLP:WHITE] win_anchor_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_anchor_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.anchor"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 66c740016578 c6400365 eb0a 66c74001646c }
            // n = 4, score = 500
            //   66c740016578         | cmp                 dword ptr [ebp + 0x138], 0
            //   c6400365             | je                  0x24
            //   eb0a                 | dec                 eax
            //   66c74001646c         | mov                 eax, dword ptr [ebp + 0x138]

        $sequence_1 = { 7509 33d2 33c9 e8???????? }
            // n = 4, score = 400
            //   7509                 | jne                 0xb
            //   33d2                 | xor                 edx, edx
            //   33c9                 | xor                 ecx, ecx
            //   e8????????           |                     

        $sequence_2 = { b101 e8???????? e8???????? 84c0 }
            // n = 4, score = 400
            //   b101                 | mov                 word ptr [eax + 1], 0x7865
            //   e8????????           |                     
            //   e8????????           |                     
            //   84c0                 | mov                 byte ptr [eax + 3], 0x65

        $sequence_3 = { 66897810 8b4638 5f 66894812 33c9 8b4638 }
            // n = 6, score = 300
            //   66897810             | lea                 ecx, [esp + 0x50]
            //   8b4638               | nop                 
            //   5f                   | dec                 esp
            //   66894812             | arpl                dx, dx
            //   33c9                 | dec                 ecx
            //   8b4638               | mov                 eax, edx

        $sequence_4 = { e8???????? 8b0d???????? c1e102 51 6a00 50 a3???????? }
            // n = 7, score = 300
            //   e8????????           |                     
            //   8b0d????????         |                     
            //   c1e102               | jmp                 0x16
            //   51                   | mov                 word ptr [eax + 1], 0x6c64
            //   6a00                 | je                  0xe
            //   50                   | mov                 word ptr [eax + 1], 0x7865
            //   a3????????           |                     

        $sequence_5 = { 6689480e 33c9 8b4618 66894810 }
            // n = 4, score = 300
            //   6689480e             | lea                 ecx, [0x102b8]
            //   33c9                 | je                  0xe
            //   8b4618               | mov                 word ptr [eax + 1], 0x7865
            //   66894810             | mov                 byte ptr [eax + 3], 0x65

        $sequence_6 = { c3 3b0d???????? f27502 f2c3 f2e965020000 e9???????? }
            // n = 6, score = 300
            //   c3                   | jmp                 0x10
            //   3b0d????????         |                     
            //   f27502               | mov                 word ptr [eax + 1], 0x6c64
            //   f2c3                 | mov                 byte ptr [eax + 3], 0x6c
            //   f2e965020000         | je                  0xe
            //   e9????????           |                     

        $sequence_7 = { 6689781a 8b461c 5f 6689481c }
            // n = 4, score = 300
            //   6689781a             | inc                 ecx
            //   8b461c               | mov                 ebp, ecx
            //   5f                   | dec                 eax
            //   6689481c             | sar                 eax, 6

        $sequence_8 = { 6689481a 33c9 8b4630 6689481c }
            // n = 4, score = 300
            //   6689481a             | mov                 eax, dword ptr [ecx + 0x40]
            //   33c9                 | dec                 eax
            //   8b4630               | lea                 edx, [ebp + 0x50]
            //   6689481c             | dec                 eax

        $sequence_9 = { f30fe6c0 f20f5e05???????? f20f5905???????? e8???????? }
            // n = 4, score = 300
            //   f30fe6c0             | dec                 eax
            //   f20f5e05????????     |                     
            //   f20f5905????????     |                     
            //   e8????????           |                     

        $sequence_10 = { e8???????? 488d5550 488d4c2450 e8???????? 90 }
            // n = 5, score = 200
            //   e8????????           |                     
            //   488d5550             | mov                 word ptr [eax + 1], 0x7865
            //   488d4c2450           | mov                 byte ptr [eax + 3], 0x65
            //   e8????????           |                     
            //   90                   | jmp                 0x10

        $sequence_11 = { 0f114260 4803d0 0f104170 4803c8 0f1142f0 0f1009 488b4140 }
            // n = 7, score = 200
            //   0f114260             | mov                 word ptr [eax + 1], 0x6c64
            //   4803d0               | mov                 word ptr [eax + 1], 0x7865
            //   0f104170             | mov                 byte ptr [eax + 3], 0x65
            //   4803c8               | jmp                 0xc
            //   0f1142f0             | mov                 word ptr [eax + 1], 0x6c64
            //   0f1009               | mov                 byte ptr [eax + 3], 0x6c
            //   488b4140             | je                  0xe

        $sequence_12 = { 0f84dd000000 bb00010000 448bc3 33d2 488d4c2450 }
            // n = 5, score = 200
            //   0f84dd000000         | jmp                 0x10
            //   bb00010000           | mov                 word ptr [eax + 1], 0x6c64
            //   448bc3               | je                  0xe
            //   33d2                 | mov                 word ptr [eax + 1], 0x7865
            //   488d4c2450           | mov                 byte ptr [eax + 3], 0x65

        $sequence_13 = { 488b8c2428010000 488d0dbdf10300 e8???????? 488b8500010000 4883c008 48894508 488b8d00010000 }
            // n = 7, score = 200
            //   488b8c2428010000     | lea                 esp, [ebp + 0xf8]
            //   488d0dbdf10300       | dec                 eax
            //   e8????????           |                     
            //   488b8500010000       | mov                 ecx, dword ptr [esp + 0x128]
            //   4883c008             | dec                 eax
            //   48894508             | lea                 ecx, [0x3f1bd]
            //   488b8d00010000       | dec                 eax

        $sequence_14 = { 4883bd3801000000 741a 488b8538010000 48898578020000 488b8d78020000 e8???????? }
            // n = 6, score = 200
            //   4883bd3801000000     | dec                 eax
            //   741a                 | mov                 dword ptr [esp + 0x20], eax
            //   488b8538010000       | inc                 ebp
            //   48898578020000       | xor                 ecx, ecx
            //   488b8d78020000       | inc                 ecx
            //   e8????????           |                     

        $sequence_15 = { 48c7855801000000000000 488b8558010000 48898508010000 488b4528 488b8d08010000 488908 }
            // n = 6, score = 200
            //   48c7855801000000000000     | dec    eax
            //   488b8558010000       | lea                 eax, [0x1762b]
            //   48898508010000       | dec                 eax
            //   488b4528             | mov                 dword ptr [esp + 0x28], eax
            //   488b8d08010000       | dec                 eax
            //   488908               | lea                 eax, [0x11523]

        $sequence_16 = { 8845ef e8???????? 83f8ff 0f84a6000000 8bc8 ff15???????? 897c2428 }
            // n = 7, score = 200
            //   8845ef               | mov                 byte ptr [eax + 3], 0x6c
            //   e8????????           |                     
            //   83f8ff               | je                  0xe
            //   0f84a6000000         | mov                 word ptr [eax + 1], 0x7865
            //   8bc8                 | mov                 byte ptr [eax + 3], 0x65
            //   ff15????????         |                     
            //   897c2428             | jmp                 0x10

        $sequence_17 = { eb0a c785e000000000000000 0fb685e0000000 488da5f8000000 }
            // n = 4, score = 200
            //   eb0a                 | jmp                 0xc
            //   c785e000000000000000     | mov    dword ptr [ebp + 0xe0], 0
            //   0fb685e0000000       | movzx               eax, byte ptr [ebp + 0xe0]
            //   488da5f8000000       | dec                 eax

        $sequence_18 = { baffffffff 488b4d48 e8???????? 0fb6c0 85c0 7409 }
            // n = 6, score = 200
            //   baffffffff           | dec                 eax
            //   488b4d48             | mov                 dword ptr [ebp + 0x108], eax
            //   e8????????           |                     
            //   0fb6c0               | dec                 eax
            //   85c0                 | mov                 eax, dword ptr [ebp + 0x28]
            //   7409                 | dec                 eax

        $sequence_19 = { ba63000000 66891401 b802000000 486bc005 488d0dfd6b0200 ba70000000 66891401 }
            // n = 7, score = 200
            //   ba63000000           | mov                 eax, 0x40
            //   66891401             | dec                 eax
            //   b802000000           | lea                 edx, [0x12ca2]
            //   486bc005             | dec                 eax
            //   488d0dfd6b0200       | mov                 dword ptr [ebp + 0x158], 0
            //   ba70000000           | dec                 eax
            //   66891401             | mov                 eax, dword ptr [ebp + 0x158]

        $sequence_20 = { 8d4f6e 488b4320 66894806 8d4f6c 488b4320 6644894808 }
            // n = 6, score = 200
            //   8d4f6e               | jmp                 0x10
            //   488b4320             | mov                 word ptr [eax + 1], 0x6c64
            //   66894806             | mov                 byte ptr [eax + 3], 0x6c
            //   8d4f6c               | mov                 byte ptr [eax + 3], 0x65
            //   488b4320             | jmp                 0x10
            //   6644894808           | mov                 word ptr [eax + 1], 0x6c64

        $sequence_21 = { 488d052b760100 4889442428 488d0523150100 4889442420 4533c9 41b840000000 488d15a22c0100 }
            // n = 7, score = 200
            //   488d052b760100       | mov                 eax, dword ptr [ebp + 0x100]
            //   4889442428           | dec                 eax
            //   488d0523150100       | add                 eax, 8
            //   4889442420           | dec                 eax
            //   4533c9               | mov                 dword ptr [ebp + 8], eax
            //   41b840000000         | dec                 eax
            //   488d15a22c0100       | mov                 ecx, dword ptr [ebp + 0x100]

    condition:
        7 of them and filesize < 778240
}
[TLP:WHITE] win_anchor_w0   (20200413 | For x86 Anchor)
rule win_anchor_w0 {
    meta:
        author = "Jason Reaves"
        description = "For x86 Anchor"
        source = "https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-hidden-anchor-bot-nexus-operations/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.anchor"
        malpedia_version = "20200413"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $a1 = "/1001/" ascii wide
        $a2 = ":$GUID" ascii wide
        $a3 = ":$TASK" ascii wide
        $ua = "WinHTTP loader/1.0" ascii wide
        $hexlify = {0f be ?? ?? b8 f0 00 00 00 0f 45 ?? 8b ?? c1 e1 02 23 d0}
        $sdecode = {8a 04 0a 0f be c0 83 e8 ?? 88 04 0a 42 83}
        $xor_data = {80 b4 05 ?? ?? ff ff ?? 40 3b c6}

    condition:
        3 of them
}
[TLP:WHITE] win_anchor_w1   (20200413 | For x64 Anchor)
rule win_anchor_w1 {
    meta:
        author = "Jason Reaves"
        description = "For x64 Anchor"
        source = "https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-hidden-anchor-bot-nexus-operations/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.anchor"
        malpedia_version = "20200413"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $xor_data = {80 ?4 0? ?? ?? 48 ?? c? 48}
        $hexlify = {81 c1 f0 00 00 00 23 d1 41 8? ?? c1 e1 02}
        $a1 = "/1001/" ascii wide
        $a2 = ":$GUID" ascii wide
        $a3 = ":$TASK" ascii wide
        $ua = "WinHTTP loader/1.0" ascii wide

    condition:
       3 of them
}
Download all Yara Rules