Anchor_dns malware family goes cross platform
Tags
maec-delivery-vectors: Watering Hole
attack-pattern: Indirect Credentials - T1589.001 Cron - T1053.003 Dns - T1071.004 Dns - T1590.002 Domains - T1583.001 Domains - T1584.001 Malware - T1587.001 Malware - T1588.001 Server - T1583.004 Server - T1584.004 Tool - T1588.002
Show in Graph
Common Information
Type Value
UUID 630375da-83b4-4eb1-b542-bb3b5f589d34
Fingerprint e6a59959adb3879b
Analysis status DONE
Considered CTI value 2
Text language
Published July 13, 2020, 3:28 p.m.
Added to db Sept. 11, 2022, 12:31 p.m.
Last updated Nov. 17, 2024, 5:58 p.m.
Headline Anchor_dns malware goes cross platform
Title Anchor_dns malware family goes cross platform
Detected Hints/Tags/Attributes 36/2/7
Source URLs
Redirection Url
Details Source https://medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30
URL Provider
Details Provider Source level domain
Details medium.com medium.com
Attributes
Details Type #Events CTI Value
Details Domain 2 
biillpi.com
Details File 748 
kernel32.dll
Details sha256 1 
55754d178d611f17efe2f17c456cb42469fd40ef999e1058f2bfe44a503d877c
Details sha256 1 
c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
Details IPv4 1 
23.95.97.59
Details Url 1 
https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-adds-remote-application-credential-grabbing-capabilities-to-its-repertoire
Details Yara rule 1 
rule anchor_linux_dns {
	meta:
		author = "Stage 2 Security"
		description = "Trickbot anchor_linux"
	strings:
		$hdr = { 7F 45 4C 46 }
		$x1 = { 80 74 0? ?? B9 }
		$x2 = "anchor_l"
		$x3 = "getaddrinfo"
		$x4 = "IPC$"
		$x5 = { 48 ?? 2F 74 6D 70 2F 00 00 00 }
		$x6 = "test my ip"
		$x7 = { 73 6D 62 32 5F [47] 5F 61 73 79 6E 63 20 }
		$x8 = "Kernel32.dll"
		$x9 = "libcurl"
		$x10 = "/1001/"
	condition:
		$hdr at 0 and 7 of ($x*)
}