Company Analysts Cybereason and Sentinelone found that North Korean hackers from the notorious Lazarus group recently bought access to infected systems from TrickBot operators, and also used the new TrickBot module, called Anchor.
Let me remind you that TrickBot is one of the three largest botnets, along with Emotet and Dridex. This is a giant network of machines infected with the TrickBot Trojan. And TrickBot operators willingly sell access to infected systems to other criminals, from ransomware and spammers to serious, state-backed hack groups. Tenants can use TrickBot to install their own malware or they can use the available Trojan modules, depending on what goals they pursue.
SentinelOne describes Anchor as a “toolbox” combined into a new variety of malvari, as well as a “universal attack infrastructure designed to attack corporate environments.”
As mentioned above, in fact, Anchor is the new TrickBot module, which, most likely, was created for a certain niche of the market: for hackers, who primarily need stealth. The module is designed for attacks aimed at large companies and other important targets, during which attackers need to remain undetected for several weeks or even months, while they steal data and even after the operation is completed.
Anchor consists of submodules with various functions needed for targeted attacks. These include submodules for distribution within company networks, installation of backdoors, attacks on Point-of-Sale systems, studying RAM in search of data about maps, as well as submodules for cleaning the system after infection, which help to hide traces of intruders.
And although at first glance Anchor seems to be a tool created for hacker groups interested in economic espionage and POS-malvari operators, he also found clients among “government hackers”. So, the Lazarus group apparently rented access to the infected system through the TrickBot botnet, and then used Anchor to install PowerRatankba, the PowerShell backdoor, on the network of an unnamed compromised company.
SentinelOne experts do not specify what Lazarus did in the network of the hacked company, but North Korean hackers usually engage in cyber espionage and financially motivated attacks.
Cybereason analysts, in turn, report a more predictable application of Anchor: since October 2019, the module has been used in a number of targeted campaigns against the financial, manufacturing and retail businesses. It is reported that a wave of attacks was aimed at stealing confidential information from POS systems and other confidential data in victims' networks.