Track Common Adversary Tasks Performed Using Anchor
To know more about it, you can go through my detailed document by clicking here
Overview
Anchor is a sophisticated backdoor malware, active since 2018, used with TrickBot installations, and generally targets high profile victims. As it is connected with TrickBot, many experts think that it's manufactured by the same developers.
Features
Some of the main features of Anchor are:
- The TrickBot-Anchor Relation- As stated above, Anchor is somewhat connected with TrickBot, so, many organizations generally investigate its attacks against financial, manufacturing, and retail businesses, using this point-of-view.
- Targets POS Systems- It generally targets POS systems stealing sensitive information from the victim's network.
- Uses New Malware- There are many variants that are new or undocumented, extensively used, and are also related to TrickBot.
- Uses Known Tools For Reconnaissance & Lateral Movement- Familiar tools such as, PowerShell, Meterpreter, Empire, Cobalt Strike, etc. are used for reconnaissance and lateral movement.
- Abuses the Trust of Certificate Authorities- Various payloads in the attacks are signed binaries, that abuses the trust of certificate authorities to bypass detection.
Conclusion
Thus, the above statements depicts the general ways through which Anchor targets as well as attacks its victims successfully evading the security products like sandboxes, AV vendors, etc. However, as these types of malwares are focusing more on signed malware, the practice of the detection of signed malware must be improved and new rules must be set before giving any trust to signed binaries in general.
To know more about it, you can go through my detailed document by clicking here
Comments
Post a Comment