SYMBOLCOMMON_NAMEaka. SYNONYMS
win.anchor (Back to overview)

Anchor

Actor(s): WIZARD SPIDER

VTCollection    

Anchor is a sophisticated backdoor served as a module to a subset of TrickBot installations. Operating since August 2018 it is not delivered to everybody, but contrary is delivered only to high-profile targets. Since its C2 communication scheme is very similar to the one implemented in the early TrickBot, multiple experts believe it could be attributed to the same authors.

References
2022-05-09cocomelonccocomelonc
Malware development: persistence - part 4. Windows services. Simple C++ example.
Anchor AppleJeus Attor BBSRAT BlackEnergy Carbanak Cobalt Strike DuQu
2022-04-15Bleeping ComputerIonut Ilascu
Karakurt revealed as data extortion arm of Conti cybercrime syndicate
Anchor BazarBackdoor Conti TrickBot
2021-09-06cocomelonccocomelonc
AV engines evasion for C++ simple malware: part 2
Agent Tesla Amadey Anchor AnchorMTea Carbanak Carberp Cardinal RAT Felixroot Konni Loki Password Stealer (PWS) Maze
2021-07-15Kryptos LogicKryptos Logic Vantage Team
Adjusting the Anchor
Anchor
2021-04-14InfoSec Handlers Diary BlogBrad Duncan
April 2021 Forensic Quiz: Answers and Analysis
Anchor BazarBackdoor Cobalt Strike
2021-03-08The DFIR ReportThe DFIR Report
Bazar Drops the Anchor
Anchor BazarBackdoor Cobalt Strike
2021-02-23CrowdStrikeCrowdStrike
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader Evilnum OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-01-20Medium walmartglobaltechJason Reaves, Joshua Platt
Anchor and Lazarus together again?
Anchor TrickBot
2020-10-29Palo Alto Networks Unit 42Brad Duncan, Brittany Barbehenn, Doel Santos
Threat Assessment: Ryuk Ransomware and Trickbot Targeting U.S. Healthcare and Public Health Sector
Anchor BazarBackdoor Ryuk TrickBot
2020-10-28CISACISA, FBI, HHS
AA20-302A: Ransomware Activity Targeting the Healthcare and Public Health Sector
AnchorDNS Anchor BazarBackdoor Ryuk
2020-10-26Arbor NetworksSuweera De Souza
Dropping the Anchor
AnchorDNS Anchor TrickBot
2020-05-19AlienLabsOfer Caspi
TrickBot BazarLoader In-Depth
Anchor BazarBackdoor TrickBot
2020-04-08SentinelOneJason Reaves
Deep Dive Into TrickBot Executor Module “mexec”: Hidden “Anchor” Bot Nexus Operations
Anchor TrickBot
2020-04-07SecurityIntelligenceOle Villadsen
ITG08 (aka FIN6) Partners With TrickBot Gang, Uses Anchor Framework
More_eggs Anchor TrickBot
2020-03-04CrowdStrikeCrowdStrike
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2020-02-13QianxinQi Anxin Threat Intelligence Center
APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2019-12-11CybereasonAssaf Dahan, Eli Salem, Lior Rochberger, Mary Zhao, Matt Hart, Niv Yona, Omer Yampel
Dropping Anchor: From a TrickBot Infection to the Discovery of the Anchor Malware
Anchor WIZARD SPIDER
2019-12-10Sentinel LABSJason Reaves, Joshua Platt, Vitali Kremez
Anchor Project | The Deadly Planeswalker: How The TrickBot Group United High-Tech Crimeware & APT
Anchor
2019-10-18NTTNTT Security
TrickBot variant “Anchor_DNS” communicating over DNS
Anchor
Yara Rules
[TLP:WHITE] win_anchor_auto (20230808 | Detects win.anchor.)
rule win_anchor_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.anchor."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.anchor"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 740c 66c740016578 c6400365 eb0a }
            // n = 4, score = 800
            //   740c                 | je                  0xe
            //   66c740016578         | mov                 word ptr [eax + 1], 0x7865
            //   c6400365             | mov                 byte ptr [eax + 3], 0x65
            //   eb0a                 | jmp                 0xc

        $sequence_1 = { c6400365 eb0a 66c74001646c c640036c }
            // n = 4, score = 800
            //   c6400365             | mov                 byte ptr [eax + 3], 0x65
            //   eb0a                 | jmp                 0xc
            //   66c74001646c         | mov                 word ptr [eax + 1], 0x6c64
            //   c640036c             | mov                 byte ptr [eax + 3], 0x6c

        $sequence_2 = { 56 8d8dbcfeffff e8???????? 68???????? 8d8dbcfeffff }
            // n = 5, score = 600
            //   56                   | push                esi
            //   8d8dbcfeffff         | lea                 ecx, [ebp - 0x144]
            //   e8????????           |                     
            //   68????????           |                     
            //   8d8dbcfeffff         | lea                 ecx, [ebp - 0x144]

        $sequence_3 = { b101 e8???????? e8???????? 84c0 }
            // n = 4, score = 600
            //   b101                 | mov                 cl, 1
            //   e8????????           |                     
            //   e8????????           |                     
            //   84c0                 | test                al, al

        $sequence_4 = { 56 e8???????? 8b30 837e0c00 }
            // n = 4, score = 600
            //   56                   | push                esi
            //   e8????????           |                     
            //   8b30                 | mov                 esi, dword ptr [eax]
            //   837e0c00             | cmp                 dword ptr [esi + 0xc], 0

        $sequence_5 = { 8b4638 5f 66894812 33c9 8b4638 }
            // n = 5, score = 600
            //   8b4638               | dec                 esp
            //   5f                   | cmovae              eax, dword ptr [esp + 0x68]
            //   66894812             | dec                 eax
            //   33c9                 | mov                 eax, dword ptr [ebx + 0x18]
            //   8b4638               | mov                 word ptr [eax + 2], cx

        $sequence_6 = { f2e965020000 e9???????? 53 56 57 }
            // n = 5, score = 600
            //   f2e965020000         | bnd jmp             0x26b
            //   e9????????           |                     
            //   53                   | push                ebx
            //   56                   | push                esi
            //   57                   | push                edi

        $sequence_7 = { 0f90c1 f7d9 0bc8 51 e8???????? 8b0d???????? c1e102 }
            // n = 7, score = 600
            //   0f90c1               | seto                cl
            //   f7d9                 | neg                 ecx
            //   0bc8                 | or                  ecx, eax
            //   51                   | push                ecx
            //   e8????????           |                     
            //   8b0d????????         |                     
            //   c1e102               | shl                 ecx, 2

        $sequence_8 = { 0fb7c1 6641 66890d???????? 50 }
            // n = 4, score = 600
            //   0fb7c1               | movzx               eax, cx
            //   6641                 | inc                 cx
            //   66890d????????       |                     
            //   50                   | push                eax

        $sequence_9 = { 7509 33d2 33c9 e8???????? }
            // n = 4, score = 400
            //   7509                 | jne                 0xb
            //   33d2                 | xor                 edx, edx
            //   33c9                 | xor                 ecx, ecx
            //   e8????????           |                     

        $sequence_10 = { 488d0d520b0400 e8???????? 488b8500010000 488b8d08010000 }
            // n = 4, score = 200
            //   488d0d520b0400       | dec                 eax
            //   e8????????           |                     
            //   488b8500010000       | mov                 eax, dword ptr [ebp + 0x100]
            //   488b8d08010000       | dec                 eax

        $sequence_11 = { 488d0d516d0200 e8???????? 488d8d680e0000 e8???????? }
            // n = 4, score = 200
            //   488d0d516d0200       | lea                 ecx, [0x41b51]
            //   e8????????           |                     
            //   488d8d680e0000       | nop                 
            //   e8????????           |                     

        $sequence_12 = { 488d0d50840200 e8???????? 488d0d48840200 e8???????? }
            // n = 4, score = 200
            //   488d0d50840200       | dec                 eax
            //   e8????????           |                     
            //   488d0d48840200       | lea                 esp, [ebp + 0xe8]
            //   e8????????           |                     

        $sequence_13 = { 4903c7 c64405b079 4903c7 c64405b073 4903c7 c64405b074 4903c7 }
            // n = 7, score = 200
            //   4903c7               | nop                 
            //   c64405b079           | dec                 eax
            //   4903c7               | mov                 ecx, dword ptr [ebp + 0x100]
            //   c64405b073           | nop                 
            //   4903c7               | dec                 eax
            //   c64405b074           | lea                 ecx, [0x3cd52]
            //   4903c7               | nop                 

        $sequence_14 = { 488d0d528a0300 e8???????? 488b8de0000000 e8???????? }
            // n = 4, score = 200
            //   488d0d528a0300       | lea                 ecx, [ebp + 0xe68]
            //   e8????????           |                     
            //   488b8de0000000       | dec                 eax
            //   e8????????           |                     

        $sequence_15 = { 488b4318 66894802 8d4f6e 488b4318 66894804 }
            // n = 5, score = 200
            //   488b4318             | dec                 eax
            //   66894802             | lea                 esp, [ebp + 0xe8]
            //   8d4f6e               | dec                 eax
            //   488b4318             | lea                 ecx, [0x34d53]
            //   66894804             | dec                 eax

        $sequence_16 = { 488d0d52b90200 e8???????? e8???????? 48894508 }
            // n = 4, score = 200
            //   488d0d52b90200       | mov                 dword ptr [ebp + 0xec0], eax
            //   e8????????           |                     
            //   e8????????           |                     
            //   48894508             | dec                 eax

        $sequence_17 = { e8???????? 4c8d442468 48837d8010 4c0f43442468 }
            // n = 4, score = 200
            //   e8????????           |                     
            //   4c8d442468           | dec                 eax
            //   48837d8010           | mov                 ecx, dword ptr [ebp + 0x100]
            //   4c0f43442468         | nop                 

        $sequence_18 = { 488d0d50480300 e8???????? 90 488b8500010000 488da5e8000000 5f }
            // n = 6, score = 200
            //   488d0d50480300       | dec                 eax
            //   e8????????           |                     
            //   90                   | lea                 ecx, [0x34850]
            //   488b8500010000       | nop                 
            //   488da5e8000000       | dec                 eax
            //   5f                   | mov                 eax, dword ptr [ebp + 0x100]

        $sequence_19 = { 4889442428 488d85d0030000 4889442420 4c8d4c2448 }
            // n = 4, score = 200
            //   4889442428           | mov                 ecx, dword ptr [ebp + 0x200]
            //   488d85d0030000       | je                  0xe
            //   4889442420           | mov                 word ptr [eax + 1], 0x7865
            //   4c8d4c2448           | mov                 byte ptr [eax + 3], 0x65

        $sequence_20 = { 488d0d52cd0300 e8???????? 90 488b8d00010000 }
            // n = 4, score = 200
            //   488d0d52cd0300       | mov                 dword ptr [eax + 8], ecx
            //   e8????????           |                     
            //   90                   | dec                 eax
            //   488b8d00010000       | lea                 ecx, [0x40b52]

    condition:
        7 of them and filesize < 778240
}
[TLP:WHITE] win_anchor_w0   (20200413 | For x86 Anchor)
rule win_anchor_w0 {
    meta:
        author = "Jason Reaves"
        description = "For x86 Anchor"
        source = "https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-hidden-anchor-bot-nexus-operations/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.anchor"
        malpedia_version = "20200413"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $a1 = "/1001/" ascii wide
        $a2 = ":$GUID" ascii wide
        $a3 = ":$TASK" ascii wide
        $ua = "WinHTTP loader/1.0" ascii wide
        $hexlify = {0f be ?? ?? b8 f0 00 00 00 0f 45 ?? 8b ?? c1 e1 02 23 d0}
        $sdecode = {8a 04 0a 0f be c0 83 e8 ?? 88 04 0a 42 83}
        $xor_data = {80 b4 05 ?? ?? ff ff ?? 40 3b c6}

    condition:
        3 of them
}
[TLP:WHITE] win_anchor_w1   (20200413 | For x64 Anchor)
rule win_anchor_w1 {
    meta:
        author = "Jason Reaves"
        description = "For x64 Anchor"
        source = "https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-hidden-anchor-bot-nexus-operations/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.anchor"
        malpedia_version = "20200413"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $xor_data = {80 ?4 0? ?? ?? 48 ?? c? 48}
        $hexlify = {81 c1 f0 00 00 00 23 d1 41 8? ?? c1 e1 02}
        $a1 = "/1001/" ascii wide
        $a2 = ":$GUID" ascii wide
        $a3 = ":$TASK" ascii wide
        $ua = "WinHTTP loader/1.0" ascii wide

    condition:
       3 of them
}
Download all Yara Rules