"Revamped Anchor Malware Targets Windows Systems"

Researchers with IBM Security X-Force are warning of a revamped version of the Anchor malware called AnchorMail, which has been targeting Windows systems. Anchor is a backdoor that has been deployed by the group behind the Trickbot malware. It was previously used to communicate with the command-and-control (C2) server, with the end goal being to launch Conti ransomware. According to the researchers, the malware's installation framework has been used by some of the most notorious threat actors in attacks against organizations in the healthcare, finance, telecoms, education, and critical infrastructure sectors. Anchor used the Domain Network System (DNS) protocol to communicate with the C2. The newly discovered variant now uses an email-based C2 server and communicates via the Simple Mail Transfer Protocol (SMTP) and Internet Message Access Protocol (IMAP) protocols over Transport Layer Security (TLS), helping attackers avoid detection. AnchorMail is difficult to detect as it encrypts the data over SMTPS/IMAPS protocols, and leverages properly crafted email messages to set up the C2 channel. Charlotte Hammond, a malware reverse engineer with IBM Security X-Force, said that AnchorMail is written in C++ and has only focused on targeted Windows systems thus far, but a Linux-variant of AnchorMail could emerge too since Anchor has been ported to Linux. This article continues to discuss the history of Anchor malware and the Trickbot gang, as well as findings regarding AnchorMail.

Decipher reports "Revamped Anchor Malware Targets Windows Systems"