SYMBOLCOMMON_NAMEaka. SYNONYMS
win.anchor (Back to overview)

Anchor

Actor(s): WIZARD SPIDER


Anchor is a sophisticated backdoor served as a module to a subset of TrickBot installations. Operating since August 2018 it is not delivered to everybody, but contrary is delivered only to high-profile targets. Since its C2 communication scheme is very similar to the one implemented in the early TrickBot, multiple experts believe it could be attributed to the same authors.

References
2021-07-15Kryptos LogicKryptos Logic Vantage Team
@online{team:20210715:adjusting:3aa9a65, author = {Kryptos Logic Vantage Team}, title = {{Adjusting the Anchor}}, date = {2021-07-15}, organization = {Kryptos Logic}, url = {https://www.kryptoslogic.com/blog/2021/07/adjusting-the-anchor/}, language = {English}, urldate = {2021-07-24} } Adjusting the Anchor
Anchor
2021-04-14InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20210414:april:4a29cb5, author = {Brad Duncan}, title = {{April 2021 Forensic Quiz: Answers and Analysis}}, date = {2021-04-14}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/27308}, language = {English}, urldate = {2021-04-14} } April 2021 Forensic Quiz: Answers and Analysis
Anchor BazarBackdoor Cobalt Strike
2021-03-08The DFIR ReportThe DFIR Report
@online{report:20210308:bazar:ba050d7, author = {The DFIR Report}, title = {{Bazar Drops the Anchor}}, date = {2021-03-08}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/}, language = {English}, urldate = {2021-03-10} } Bazar Drops the Anchor
Anchor BazarBackdoor Cobalt Strike
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-01-20Medium walmartglobaltechJason Reaves, Joshua Platt
@online{reaves:20210120:anchor:b1e153f, author = {Jason Reaves and Joshua Platt}, title = {{Anchor and Lazarus together again?}}, date = {2021-01-20}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/anchor-and-lazarus-together-again-24744e516607}, language = {English}, urldate = {2021-01-21} } Anchor and Lazarus together again?
Anchor TrickBot
2020-10-29Palo Alto Networks Unit 42Brittany Barbehenn, Doel Santos, Brad Duncan
@online{barbehenn:20201029:threat:de33a6d, author = {Brittany Barbehenn and Doel Santos and Brad Duncan}, title = {{Threat Assessment: Ryuk Ransomware and Trickbot Targeting U.S. Healthcare and Public Health Sector}}, date = {2020-10-29}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/ryuk-ransomware/}, language = {English}, urldate = {2020-11-02} } Threat Assessment: Ryuk Ransomware and Trickbot Targeting U.S. Healthcare and Public Health Sector
Anchor BazarBackdoor Ryuk TrickBot
2020-10-28CISACISA, FBI, HHS
@techreport{cisa:20201028:aa20302a:80b6a06, author = {CISA and FBI and HHS}, title = {{AA20-302A: Ransomware Activity Targeting the Healthcare and Public Health Sector}}, date = {2020-10-28}, institution = {CISA}, url = {https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf}, language = {English}, urldate = {2020-11-02} } AA20-302A: Ransomware Activity Targeting the Healthcare and Public Health Sector
Anchor_DNS Anchor BazarBackdoor Ryuk
2020-10-26Arbor NetworksSuweera De Souza
@online{souza:20201026:dropping:8ac1e1d, author = {Suweera De Souza}, title = {{Dropping the Anchor}}, date = {2020-10-26}, organization = {Arbor Networks}, url = {https://www.netscout.com/blog/asert/dropping-anchor}, language = {English}, urldate = {2020-10-29} } Dropping the Anchor
Anchor_DNS Anchor TrickBot
2020-05-19AlienLabsOfer Caspi
@online{caspi:20200519:trickbot:50c2a51, author = {Ofer Caspi}, title = {{TrickBot BazarLoader In-Depth}}, date = {2020-05-19}, organization = {AlienLabs}, url = {https://cybersecurity.att.com/blogs/labs-research/trickbot-bazarloader-in-depth}, language = {English}, urldate = {2020-05-20} } TrickBot BazarLoader In-Depth
Anchor BazarBackdoor TrickBot
2020-04-08SentinelOneJason Reaves
@online{reaves:20200408:deep:87b83bb, author = {Jason Reaves}, title = {{Deep Dive Into TrickBot Executor Module “mexec”: Hidden “Anchor” Bot Nexus Operations}}, date = {2020-04-08}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-hidden-anchor-bot-nexus-operations/}, language = {English}, urldate = {2020-04-13} } Deep Dive Into TrickBot Executor Module “mexec”: Hidden “Anchor” Bot Nexus Operations
Anchor TrickBot
2020-04-07SecurityIntelligenceOle Villadsen
@online{villadsen:20200407:itg08:b0b782d, author = {Ole Villadsen}, title = {{ITG08 (aka FIN6) Partners With TrickBot Gang, Uses Anchor Framework}}, date = {2020-04-07}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/}, language = {English}, urldate = {2020-04-13} } ITG08 (aka FIN6) Partners With TrickBot Gang, Uses Anchor Framework
More_eggs Anchor TrickBot
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER FIN7 Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER Pirate Panda SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2019-12-11CybereasonAssaf Dahan, Lior Rochberger, Eli Salem, Mary Zhao, Niv Yona, Omer Yampel, Matt Hart
@online{dahan:20191211:dropping:0849f70, author = {Assaf Dahan and Lior Rochberger and Eli Salem and Mary Zhao and Niv Yona and Omer Yampel and Matt Hart}, title = {{Dropping Anchor: From a TrickBot Infection to the Discovery of the Anchor Malware}}, date = {2019-12-11}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware}, language = {English}, urldate = {2020-01-06} } Dropping Anchor: From a TrickBot Infection to the Discovery of the Anchor Malware
Anchor WIZARD SPIDER
2019-12-10Sentinel LABSVitali Kremez, Joshua Platt, Jason Reaves
@online{kremez:20191210:morphisec:c0fc51c, author = {Vitali Kremez and Joshua Platt and Jason Reaves}, title = {{MORPHISEC DISCOVERS CCLEANER BACKDOOR SAVING MILLIONS OF AVAST USERS}}, date = {2019-12-10}, organization = {Sentinel LABS}, url = {https://labs.sentinelone.com/the-deadly-planeswalker-how-the-trickbot-group-united-high-tech-crimeware-apt/}, language = {English}, urldate = {2020-01-08} } MORPHISEC DISCOVERS CCLEANER BACKDOOR SAVING MILLIONS OF AVAST USERS
Anchor
2019-10-18NTTNTT Security
@online{security:20191018:trickbot:6e2f73f, author = {NTT Security}, title = {{TrickBot variant “Anchor_DNS” communicating over DNS}}, date = {2019-10-18}, organization = {NTT}, url = {https://hello.global.ntt/zh-cn/insights/blog/trickbot-variant-communicating-over-dns}, language = {English}, urldate = {2020-10-12} } TrickBot variant “Anchor_DNS” communicating over DNS
Anchor
Yara Rules
[TLP:WHITE] win_anchor_auto (20210616 | Detects win.anchor.)
rule win_anchor_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.anchor."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.anchor"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 740c 66c740016578 c6400365 eb0a 66c74001646c }
            // n = 5, score = 800
            //   740c                 | je                  0xe
            //   66c740016578         | mov                 word ptr [eax + 1], 0x7865
            //   c6400365             | mov                 byte ptr [eax + 3], 0x65
            //   eb0a                 | jmp                 0xc
            //   66c74001646c         | mov                 word ptr [eax + 1], 0x6c64

        $sequence_1 = { e8???????? 6aff 6a00 53 8d4dd4 }
            // n = 5, score = 600
            //   e8????????           |                     
            //   6aff                 | push                -1
            //   6a00                 | push                0
            //   53                   | push                ebx
            //   8d4dd4               | lea                 ecx, dword ptr [ebp - 0x2c]

        $sequence_2 = { 6a00 6a06 6a04 6a00 6a01 }
            // n = 5, score = 600
            //   6a00                 | push                0
            //   6a06                 | push                6
            //   6a04                 | push                4
            //   6a00                 | push                0
            //   6a01                 | push                1

        $sequence_3 = { 8b4620 6689780e 8b4620 5f 66894810 }
            // n = 5, score = 600
            //   8b4620               | mov                 eax, dword ptr [esi + 0x20]
            //   6689780e             | mov                 word ptr [eax + 0xe], di
            //   8b4620               | mov                 eax, dword ptr [esi + 0x20]
            //   5f                   | pop                 edi
            //   66894810             | mov                 word ptr [eax + 0x10], cx

        $sequence_4 = { 50 6a00 6a00 682000000c }
            // n = 4, score = 600
            //   50                   | push                eax
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   682000000c           | push                0xc000020

        $sequence_5 = { 50 8d85c8fdffff 6805010000 50 e8???????? }
            // n = 5, score = 600
            //   50                   | push                eax
            //   8d85c8fdffff         | lea                 eax, dword ptr [ebp - 0x238]
            //   6805010000           | push                0x105
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_6 = { 7502 ff07 8a02 84c0 }
            // n = 4, score = 600
            //   7502                 | jne                 4
            //   ff07                 | inc                 dword ptr [edi]
            //   8a02                 | mov                 al, byte ptr [edx]
            //   84c0                 | test                al, al

        $sequence_7 = { c3 e9???????? 55 8bec 5d e9???????? 6a0c }
            // n = 7, score = 600
            //   c3                   | ret                 
            //   e9????????           |                     
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   5d                   | pop                 ebp
            //   e9????????           |                     
            //   6a0c                 | push                0xc

        $sequence_8 = { b101 e8???????? e8???????? 84c0 }
            // n = 4, score = 600
            //   b101                 | je                  0xe
            //   e8????????           |                     
            //   e8????????           |                     
            //   84c0                 | mov                 word ptr [eax + 1], 0x7865

        $sequence_9 = { 7509 33d2 33c9 e8???????? }
            // n = 4, score = 400
            //   7509                 | jne                 0xb
            //   33d2                 | xor                 edx, edx
            //   33c9                 | xor                 ecx, ecx
            //   e8????????           |                     

        $sequence_10 = { 488d8a28000000 e9???????? 488d8a88000000 e9???????? 488d8a68000000 e9???????? }
            // n = 6, score = 200
            //   488d8a28000000       | mov                 word ptr [eax + 1], 0x7865
            //   e9????????           |                     
            //   488d8a88000000       | mov                 byte ptr [eax + 3], 0x65
            //   e9????????           |                     
            //   488d8a68000000       | jmp                 0xc
            //   e9????????           |                     

        $sequence_11 = { 488d0d3eb80200 e8???????? 8b95e8000000 488b8de0000000 }
            // n = 4, score = 200
            //   488d0d3eb80200       | mov                 ecx, dword ptr [ebp + 0x1c0]
            //   e8????????           |                     
            //   8b95e8000000         | dec                 eax
            //   488b8de0000000       | mov                 dword ptr [ebp + 0x28], eax

        $sequence_12 = { 448bc7 488b4310 438d0c02 4903d1 }
            // n = 4, score = 200
            //   448bc7               | je                  0xe
            //   488b4310             | mov                 word ptr [eax + 1], 0x7865
            //   438d0c02             | mov                 byte ptr [eax + 3], 0x65
            //   4903d1               | jmp                 0x10

        $sequence_13 = { 0f82df000000 48c1e82c 660feb15???????? 660feb0d???????? 4c8d0d24ae0000 }
            // n = 5, score = 200
            //   0f82df000000         | pop                 ebp
            //   48c1e82c             | ret                 
            //   660feb15????????     |                     
            //   660feb0d????????     |                     
            //   4c8d0d24ae0000       | push                0xc

        $sequence_14 = { 488d0d3ebe0100 8b542430 48891401 488d0d2f350100 }
            // n = 4, score = 200
            //   488d0d3ebe0100       | dec                 eax
            //   8b542430             | lea                 esp, dword ptr [ebp + 0xe8]
            //   48891401             | dec                 eax
            //   488d0d2f350100       | lea                 ecx, dword ptr [0x34a3d]

        $sequence_15 = { 488d0d3ca30200 e8???????? 488b85e0000000 488da5c8000000 }
            // n = 4, score = 200
            //   488d0d3ca30200       | lea                 ecx, dword ptr [0x2523c]
            //   e8????????           |                     
            //   488b85e0000000       | dec                 eax
            //   488da5c8000000       | mov                 ecx, dword ptr [ebp + 0x120]

        $sequence_16 = { 488d0d3d830200 e8???????? eb4d 4c8b4528 }
            // n = 4, score = 200
            //   488d0d3d830200       | mov                 ecx, dword ptr [ebp + 0x1c0]
            //   e8????????           |                     
            //   eb4d                 | dec                 eax
            //   4c8b4528             | lea                 ecx, dword ptr [0x3fd3c]

        $sequence_17 = { 488d0d3c1f0400 e8???????? 90 488b8500010000 488da5e8000000 5f }
            // n = 6, score = 200
            //   488d0d3c1f0400       | dec                 eax
            //   e8????????           |                     
            //   90                   | lea                 ecx, dword ptr [0x41f3c]
            //   488b8500010000       | nop                 
            //   488da5e8000000       | dec                 eax
            //   5f                   | mov                 eax, dword ptr [ebp + 0x100]

        $sequence_18 = { 488d0d06f50000 e9???????? 488d8a28000000 e9???????? 488d0d7ef00000 e9???????? }
            // n = 6, score = 200
            //   488d0d06f50000       | mov                 word ptr [eax + 1], 0x6c64
            //   e9????????           |                     
            //   488d8a28000000       | mov                 byte ptr [eax + 3], 0x6c
            //   e9????????           |                     
            //   488d0d7ef00000       | mov                 word ptr [eax + 1], 0x7865
            //   e9????????           |                     

        $sequence_19 = { 488d0d3c520200 e8???????? e8???????? 488b8d20010000 }
            // n = 4, score = 200
            //   488d0d3c520200       | dec                 eax
            //   e8????????           |                     
            //   e8????????           |                     
            //   488b8d20010000       | lea                 esp, dword ptr [ebp + 0xe8]

        $sequence_20 = { 4881ecc0010000 48c7442420feffffff 48895808 48897018 488b05???????? 4833c4 488985b0000000 }
            // n = 7, score = 200
            //   4881ecc0010000       | mov                 word ptr [eax + 1], 0x7865
            //   48c7442420feffffff     | mov    byte ptr [eax + 3], 0x65
            //   48895808             | jmp                 0xc
            //   48897018             | mov                 word ptr [eax + 1], 0x6c64
            //   488b05????????       |                     
            //   4833c4               | mov                 byte ptr [eax + 3], 0x6c
            //   488985b0000000       | mov                 al, 1

        $sequence_21 = { 488d0d3cfd0300 e8???????? c6450401 488b8dc0010000 }
            // n = 4, score = 200
            //   488d0d3cfd0300       | dec                 eax
            //   e8????????           |                     
            //   c6450401             | lea                 ecx, dword ptr [0x2523c]
            //   488b8dc0010000       | dec                 eax

    condition:
        7 of them and filesize < 778240
}
[TLP:WHITE] win_anchor_w0   (20200413 | For x86 Anchor)
rule win_anchor_w0 {
    meta:
        author = "Jason Reaves"
        description = "For x86 Anchor"
        source = "https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-hidden-anchor-bot-nexus-operations/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.anchor"
        malpedia_version = "20200413"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $a1 = "/1001/" ascii wide
        $a2 = ":$GUID" ascii wide
        $a3 = ":$TASK" ascii wide
        $ua = "WinHTTP loader/1.0" ascii wide
        $hexlify = {0f be ?? ?? b8 f0 00 00 00 0f 45 ?? 8b ?? c1 e1 02 23 d0}
        $sdecode = {8a 04 0a 0f be c0 83 e8 ?? 88 04 0a 42 83}
        $xor_data = {80 b4 05 ?? ?? ff ff ?? 40 3b c6}

    condition:
        3 of them
}
[TLP:WHITE] win_anchor_w1   (20200413 | For x64 Anchor)
rule win_anchor_w1 {
    meta:
        author = "Jason Reaves"
        description = "For x64 Anchor"
        source = "https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-hidden-anchor-bot-nexus-operations/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.anchor"
        malpedia_version = "20200413"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $xor_data = {80 ?4 0? ?? ?? 48 ?? c? 48}
        $hexlify = {81 c1 f0 00 00 00 23 d1 41 8? ?? c1 e1 02}
        $a1 = "/1001/" ascii wide
        $a2 = ":$GUID" ascii wide
        $a3 = ":$TASK" ascii wide
        $ua = "WinHTTP loader/1.0" ascii wide

    condition:
       3 of them
}
Download all Yara Rules