SYMBOLCOMMON_NAMEaka. SYNONYMS
win.anchor (Back to overview)

Anchor

Actor(s): WIZARD SPIDER


Anchor is a sophisticated backdoor served as a module to a subset of TrickBot installations. Operating since August 2018 it is not delivered to everybody, but contrary is delivered only to high-profile targets. Since its C2 communication scheme is very similar to the one implemented in the early TrickBot, multiple experts believe it could be attributed to the same authors.

References
2020-05-19AlienLabsOfer Caspi
@online{caspi:20200519:trickbot:50c2a51, author = {Ofer Caspi}, title = {{TrickBot BazarLoader In-Depth}}, date = {2020-05-19}, organization = {AlienLabs}, url = {https://cybersecurity.att.com/blogs/labs-research/trickbot-bazarloader-in-depth}, language = {English}, urldate = {2020-05-20} } TrickBot BazarLoader In-Depth
Anchor BazarBackdoor TrickBot
2020-04-08SentinelOneJason Reaves
@online{reaves:20200408:deep:87b83bb, author = {Jason Reaves}, title = {{Deep Dive Into TrickBot Executor Module “mexec”: Hidden “Anchor” Bot Nexus Operations}}, date = {2020-04-08}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-hidden-anchor-bot-nexus-operations/}, language = {English}, urldate = {2020-04-13} } Deep Dive Into TrickBot Executor Module “mexec”: Hidden “Anchor” Bot Nexus Operations
Anchor TrickBot
2020-04-07SecurityIntelligenceOle Villadsen
@online{villadsen:20200407:itg08:b0b782d, author = {Ole Villadsen}, title = {{ITG08 (aka FIN6) Partners With TrickBot Gang, Uses Anchor Framework}}, date = {2020-04-07}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/}, language = {English}, urldate = {2020-04-13} } ITG08 (aka FIN6) Partners With TrickBot Gang, Uses Anchor Framework
More_eggs Anchor TrickBot
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2019-12-11CybereasonAssaf Dahan, Lior Rochberger, Eli Salem, Mary Zhao, Niv Yona, Omer Yampel, Matt Hart
@online{dahan:20191211:dropping:0849f70, author = {Assaf Dahan and Lior Rochberger and Eli Salem and Mary Zhao and Niv Yona and Omer Yampel and Matt Hart}, title = {{Dropping Anchor: From a TrickBot Infection to the Discovery of the Anchor Malware}}, date = {2019-12-11}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware}, language = {English}, urldate = {2020-01-06} } Dropping Anchor: From a TrickBot Infection to the Discovery of the Anchor Malware
Anchor WIZARD SPIDER
2019-12-10Sentinel LABSVitali Kremez, Joshua Platt, Jason Reaves
@online{kremez:20191210:morphisec:c0fc51c, author = {Vitali Kremez and Joshua Platt and Jason Reaves}, title = {{MORPHISEC DISCOVERS CCLEANER BACKDOOR SAVING MILLIONS OF AVAST USERS}}, date = {2019-12-10}, organization = {Sentinel LABS}, url = {https://labs.sentinelone.com/the-deadly-planeswalker-how-the-trickbot-group-united-high-tech-crimeware-apt/}, language = {English}, urldate = {2020-01-08} } MORPHISEC DISCOVERS CCLEANER BACKDOOR SAVING MILLIONS OF AVAST USERS
Anchor
2019-10-18NTTNTT Security
@online{security:20191018:trickbot:6e2f73f, author = {NTT Security}, title = {{TrickBot variant “Anchor_DNS” communicating over DNS}}, date = {2019-10-18}, organization = {NTT}, url = {https://technical.nttsecurity.com/post/102fsp2/trickbot-variant-anchor-dns-communicating-over-dns}, language = {English}, urldate = {2020-01-10} } TrickBot variant “Anchor_DNS” communicating over DNS
Anchor
Yara Rules
[TLP:WHITE] win_anchor_auto (20200817 | autogenerated rule brought to you by yara-signator)
rule win_anchor_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-08-17"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.anchor"
        malpedia_rule_date = "20200817"
        malpedia_hash = "8c895fd01eccb47a6225bcb1a3ba53cbb98644c5"
        malpedia_version = "20200817"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 740c 66c740016578 c6400365 eb0a }
            // n = 4, score = 500
            //   740c                 | mov                 edx, dword ptr [ebp + 0x48]
            //   66c740016578         | mov                 word ptr [eax + edx*2], cx
            //   c6400365             | dec                 eax
            //   eb0a                 | mov                 eax, dword ptr [ebp + 0x48]

        $sequence_1 = { c6400365 eb0a 66c74001646c c640036c }
            // n = 4, score = 500
            //   c6400365             | dec                 eax
            //   eb0a                 | mov                 eax, dword ptr [ebp + 0xe0]
            //   66c74001646c         | dec                 eax
            //   c640036c             | mov                 dword ptr [eax + 0x10], 0

        $sequence_2 = { 7509 33d2 33c9 e8???????? }
            // n = 4, score = 400
            //   7509                 | jne                 0xb
            //   33d2                 | xor                 edx, edx
            //   33c9                 | xor                 ecx, ecx
            //   e8????????           |                     

        $sequence_3 = { b101 e8???????? e8???????? 84c0 }
            // n = 4, score = 400
            //   b101                 | mov                 word ptr [eax + 1], 0x6c64
            //   e8????????           |                     
            //   e8????????           |                     
            //   84c0                 | mov                 word ptr [eax + 1], 0x7865

        $sequence_4 = { 3b0d???????? f27502 f2c3 f2e965020000 e9???????? }
            // n = 5, score = 300
            //   3b0d????????         |                     
            //   f27502               | jmp                 0x10
            //   f2c3                 | mov                 word ptr [eax + 1], 0x6c64
            //   f2e965020000         | mov                 byte ptr [eax + 3], 0x6c
            //   e9????????           |                     

        $sequence_5 = { e8???????? 8d85ecfeffff c645fc03 50 8d8dbcfeffff }
            // n = 5, score = 300
            //   e8????????           |                     
            //   8d85ecfeffff         | inc                 eax
            //   c645fc03             | test                bh, 0x1f
            //   50                   | mov                 byte ptr [eax + 3], 0x65
            //   8d8dbcfeffff         | jmp                 0x10

        $sequence_6 = { 8d8dbcfeffff e9???????? 8d8dbcfeffff e9???????? 8b542408 8d420c }
            // n = 6, score = 300
            //   8d8dbcfeffff         | cmove               ebx, esp
            //   e9????????           |                     
            //   8d8dbcfeffff         | dec                 eax
            //   e9????????           |                     
            //   8b542408             | test                edi, edi
            //   8d420c               | je                  0x13

        $sequence_7 = { c78405f4feffff325c7275 c78405f8feffff6e646c6c c78405fcfeffff33322e65 66c7840500ffffff7865 83c016 }
            // n = 5, score = 300
            //   c78405f4feffff325c7275     | dec    eax
            //   c78405f8feffff6e646c6c     | add    eax, eax
            //   c78405fcfeffff33322e65     | dec    eax
            //   66c7840500ffffff7865     | cmp    eax, 0x1000
            //   83c016               | jb                  0x37

        $sequence_8 = { 0bc8 51 e8???????? 8b0d???????? c1e102 }
            // n = 5, score = 300
            //   0bc8                 | mov                 byte ptr [eax + 3], 0x65
            //   51                   | jmp                 0xc
            //   e8????????           |                     
            //   8b0d????????         |                     
            //   c1e102               | mov                 word ptr [eax + 1], 0x6c64

        $sequence_9 = { 8d4dc0 e8???????? b301 85f6 }
            // n = 4, score = 300
            //   8d4dc0               | mov                 word ptr [eax + 1], 0x6c64
            //   e8????????           |                     
            //   b301                 | mov                 byte ptr [eax + 3], 0x6c
            //   85f6                 | mov                 word ptr [eax + 1], 0x7865

        $sequence_10 = { c605????????01 41b801000000 33d2 488b8d80010000 e8???????? 48c7456800000000 }
            // n = 6, score = 200
            //   c605????????01       |                     
            //   41b801000000         | mov                 dword ptr [esp + 0x28], eax
            //   33d2                 | mov                 eax, dword ptr [ebp + 0x1d8]
            //   488b8d80010000       | mov                 dword ptr [esp + 0x20], eax
            //   e8????????           |                     
            //   48c7456800000000     | inc                 esp

        $sequence_11 = { 48894508 488d057b100300 b96f000000 488b5508 66890c50 488b4508 }
            // n = 6, score = 200
            //   48894508             | mov                 ecx, dword ptr [ebp + 0x1d4]
            //   488d057b100300       | inc                 ecx
            //   b96f000000           | mov                 eax, 1
            //   488b5508             | xor                 edx, edx
            //   66890c50             | dec                 eax
            //   488b4508             | mov                 ecx, dword ptr [ebp + 0x180]

        $sequence_12 = { 488b8de0000000 e8???????? 488b85e0000000 48c7400800000000 488b85e0000000 48c7401000000000 488b85e0000000 }
            // n = 7, score = 200
            //   488b8de0000000       | dec                 eax
            //   e8????????           |                     
            //   488b85e0000000       | mov                 dword ptr [ebp + 0x68], 0
            //   48c7400800000000     | dec                 eax
            //   488b85e0000000       | mov                 dword ptr [ebp + 8], eax
            //   48c7401000000000     | dec                 eax
            //   488b85e0000000       | lea                 eax, [0x3107b]

        $sequence_13 = { 48894548 488b4528 488b00 b96d000000 488b5548 66890c50 488b4548 }
            // n = 7, score = 200
            //   48894548             | mov                 ecx, 0x6f
            //   488b4528             | dec                 eax
            //   488b00               | mov                 edx, dword ptr [ebp + 8]
            //   b96d000000           | mov                 word ptr [eax + edx*2], cx
            //   488b5548             | dec                 eax
            //   66890c50             | mov                 eax, dword ptr [ebp + 8]
            //   488b4548             | dec                 eax

        $sequence_14 = { 488b4cdd07 4885c9 740b ff15???????? 4c8974dd07 }
            // n = 5, score = 200
            //   488b4cdd07           | mov                 byte ptr [eax + 3], 0x65
            //   4885c9               | jmp                 0x10
            //   740b                 | mov                 word ptr [eax + 1], 0x6c64
            //   ff15????????         |                     
            //   4c8974dd07           | mov                 byte ptr [eax + 3], 0x6c

        $sequence_15 = { 488d05bffd0000 4a8b04e8 42f644303880 0f84ea000000 e8???????? 488b8890000000 4839b938010000 }
            // n = 7, score = 200
            //   488d05bffd0000       | mov                 byte ptr [eax + 3], 0x65
            //   4a8b04e8             | jmp                 0xc
            //   42f644303880         | mov                 word ptr [eax + 1], 0x6c64
            //   0f84ea000000         | mov                 byte ptr [eax + 3], 0x6c
            //   e8????????           |                     
            //   488b8890000000       | je                  0xe
            //   4839b938010000       | mov                 word ptr [eax + 1], 0x7865

        $sequence_16 = { 8b85dc010000 89442428 8b85d8010000 89442420 448b8dd4010000 }
            // n = 5, score = 200
            //   8b85dc010000         | imul                eax, eax, 4
            //   89442428             | mov                 ecx, 0x69
            //   8b85d8010000         | mov                 word ptr [ebp + eax + 0x588], cx
            //   89442420             | mov                 eax, 2
            //   448b8dd4010000       | mov                 eax, dword ptr [ebp + 0x1dc]

        $sequence_17 = { 4c8b452f e8???????? 0fb6db 85c0 410f44dc 4885ff 7408 }
            // n = 7, score = 200
            //   4c8b452f             | mov                 word ptr [eax + 1], 0x7865
            //   e8????????           |                     
            //   0fb6db               | mov                 byte ptr [eax + 3], 0x65
            //   85c0                 | jmp                 0xc
            //   410f44dc             | mov                 word ptr [eax + 1], 0x6c64
            //   4885ff               | jne                 0xb
            //   7408                 | xor                 edx, edx

        $sequence_18 = { b976000000 66898c0588050000 b802000000 486bc004 b969000000 66898c0588050000 b802000000 }
            // n = 7, score = 200
            //   b976000000           | mov                 dword ptr [ebp + 0xc8], 0xfffffffe
            //   66898c0588050000     | dec                 eax
            //   b802000000           | lea                 ecx, [0x3cc81]
            //   486bc004             | mov                 ecx, 0x76
            //   b969000000           | mov                 word ptr [ebp + eax + 0x588], cx
            //   66898c0588050000     | mov                 eax, 2
            //   b802000000           | dec                 eax

        $sequence_19 = { 488d45e8 48894de8 488945f0 488d1564bd0000 }
            // n = 4, score = 200
            //   488d45e8             | mov                 byte ptr [eax + 3], 0x65
            //   48894de8             | jmp                 0x10
            //   488945f0             | je                  0xe
            //   488d1564bd0000       | mov                 word ptr [eax + 1], 0x7865

        $sequence_20 = { b8cccccccc f3ab 488b8c2428010000 48c785c8000000feffffff 488d0d81cc0300 }
            // n = 5, score = 200
            //   b8cccccccc           | mov                 eax, 0xcccccccc
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax
            //   488b8c2428010000     | dec                 eax
            //   48c785c8000000feffffff     | mov    ecx, dword ptr [esp + 0x128]
            //   488d0d81cc0300       | dec                 eax

    condition:
        7 of them and filesize < 778240
}
[TLP:WHITE] win_anchor_w0   (20200413 | For x86 Anchor)
rule win_anchor_w0 {
    meta:
        author = "Jason Reaves"
        description = "For x86 Anchor"
        source = "https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-hidden-anchor-bot-nexus-operations/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.anchor"
        malpedia_version = "20200413"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $a1 = "/1001/" ascii wide
        $a2 = ":$GUID" ascii wide
        $a3 = ":$TASK" ascii wide
        $ua = "WinHTTP loader/1.0" ascii wide
        $hexlify = {0f be ?? ?? b8 f0 00 00 00 0f 45 ?? 8b ?? c1 e1 02 23 d0}
        $sdecode = {8a 04 0a 0f be c0 83 e8 ?? 88 04 0a 42 83}
        $xor_data = {80 b4 05 ?? ?? ff ff ?? 40 3b c6}

    condition:
        3 of them
}
[TLP:WHITE] win_anchor_w1   (20200413 | For x64 Anchor)
rule win_anchor_w1 {
    meta:
        author = "Jason Reaves"
        description = "For x64 Anchor"
        source = "https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-hidden-anchor-bot-nexus-operations/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.anchor"
        malpedia_version = "20200413"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $xor_data = {80 ?4 0? ?? ?? 48 ?? c? 48}
        $hexlify = {81 c1 f0 00 00 00 23 d1 41 8? ?? c1 e1 02}
        $a1 = "/1001/" ascii wide
        $a2 = ":$GUID" ascii wide
        $a3 = ":$TASK" ascii wide
        $ua = "WinHTTP loader/1.0" ascii wide

    condition:
       3 of them
}
Download all Yara Rules