TrickBot Malware made headlines in 2019 by infecting nearly 250 million Google accounts, stealing credentials and personal information, and it's fully capable of disabling the Windows inbuilt antivirus software altogether.
Now, the notorious malware makes a come-back with new module framework dubbed “Anchor_DNS” that can infect Linux device. According to IntezerLabs, the Anchor_DNS is ported to a Linux version called ‘Anchor_Linux’ with the Linux version of the malware targeting VPN and NAS devices running on Linux.
The module not only act as a backdoor to infect Linux systems, but it also contains an embedded Windows TrickBot executable.
How Anchor_Linux TrickBot Malware targets Linux Systems
Anchor_Linux TrickBot Malware is a “Lightweight backdoor with the ability to spread to neighboring Windows boxes using svcctl via SMB” as reported by IntezerLabs.
It acts as covert backdoor tool persistence in UNIX environment which is used as a pivot for Windows exploitation, and also used as an unorthodox attack vector outside of phishing attacks. Anchor_Linux allows the group to target servers in UNIX environment, including VPN and NAS devices and use it to infect corporate networks.
The bad actors can even target non-Windows environments and later pivot to Windows devices on same network.
How to Mitigate against Anchor_Linux malware
Linux users can check for the Anchor_linux infestation by searching for the “/tmp/Anchor.log” file on their system. If there is any such file, it means the system is compromised.
Therefore, it is recommended that the Linux user should scan the system and delete all traces of the malware. Albeit, Anchor_Linux is still in its initial stages, and will continue to evolve, which makes it more dangerous for Linux systems.