TrickBot Malware Gang Upgrades its AnchorDNS Backdoor to AnchorMail

Even as the TrickBot infrastructure closed shop, the operators of the malware are continuing to refine and retool their arsenal to carry out attacks that culminated in the deployment of Conti ransomware.

IBM Security X-Force, which discovered the revamped version of the criminal gang’s AnchorDNS backdoor, dubbed the new, upgraded variant AnchorMail.

AnchorMail “uses an email-based [command-and-control] server which it communicates with using SMTP and IMAP protocols over TLS,” IBM’s malware reverse engineer, Charlotte Hammond, said. “With the exception of the overhauled C2 communication mechanism, AnchorMail’s behavior aligns very closely to that of its AnchorDNS predecessor.”

The cybercrime actor behind TrickBot, ITG23 aka Wizard Spider, is also known for its development of the Anchor malware framework, a backdoor reserved for targeting selected high value victims since at least 2018 via TrickBot and BazarBackdoor (aka BazarLoader), an additional implant engineered by the same group.

Over the years, the group has also benefited from a symbiotic relationship with the Conti ransomware cartel, with the latter leveraging TrickBot and BazarLoader payloads to gain a foothold for deploying the file-encrypting malware.

“By the end of 2021, Conti had essentially acquired TrickBot, with multiple elite developers and managers joining the ransomware cosa nostra,” AdvIntel’s Yelisey Boguslavskiy noted in a report published mid-February.

Less than 10 days later, the TrickBot actors shut down their botnet infrastructure following an unusual two-month-long hiatus in the malware distribution campaigns, marking a pivot that’s likely to channel their efforts toward stealthier malware families such as BazarBackdoor.

In the midst of all these developments, the AnchorDNS backdoor has received a facelift of its own. While the predecessor communicates to its C2 servers using DNS tunneling – a technique that involves the abuse of the DNS protocol to sneak malicious traffic past an organization’s defenses – the newer C++-based version makes use of specially crafted email messages.

“AnchorMail uses the encrypted SMTPS protocol for sending data to the C2, and IMAPS is used for receiving it,” Hammond noted, adding the malware establishes persistence by creating a scheduled task that’s set to run every 10 minutes, following it up by contacting the C2 server to fetch and execute any commands to be run.

The commands include the capability to execute binaries, DLLs, and shellcode retrieved from the remote server, launch PowerShell commands, and delete itself from the infected systems.

“The discovery of this new Anchor variant adds a new stealthy backdoor for use during ransomware attacks and highlights the group’s commitment to upgrading its malware,” Hammond said. “[AnchorMail] has so far only been observed targeting Windows systems. However, as AnchorDNS has been ported to Linux, it seems likely that a Linux-variant of AnchorMail may emerge too.”