FIN6 and TrickBot Combine Forces in ‘Anchor’ Attacks

Anchor Malware

FIN6 fingerprints were spotted in recent cyberattacks that initially infected victims with the TrickBot trojan, and then eventually downloaded the Anchor backdoor malware.

Researchers say, two cybercriminal groups, FIN6 and the operators of the TrickBot malware, have paired up together to target several organizations with TrickBot’s malware framework called “Anchor.”

The two threat groups joining forces is a “new and dangerous twist” in an existing trend of cybercrime groups working together, say researchers with IBM X-Force. The FIN6 group (also known as “ITG08”) has historically gone after brick-and-mortar point-of-sale (PoS) data and e-commerce sites in the U.S. and Europe. Meanwhile, TrickBot is a malware strain that started out as a banking trojan, and over time gradually extended its functions to include collecting credentials from a victim’s emails, browsers and installed network apps.

“ITG08’s [FIN6’s] partnership with the TrickBot gang to use its Anchor malware framework is the latest example of a cybercriminal group that has repeatedly demonstrated its ability to adopt new malware and adapt to changing circumstances that threaten the group’s ability to obtain illicit proceeds,” said Ole Villadsen, threat analyst with IBM X-Force in a Tuesday analysis.

The analysis draws on previous research from SentinelOne and Cybereason regarding TrickBot’s usage of the Anchor framework, as well as its PowerShell-based backdoor called PowerTrick. The Anchor malware framework, which dates back to at least 2018, appears to be programmed by TrickBot’s operators, researchers at SentinelOne and Cybereason have previously noted. Anchor is “an all-in-one attack framework,” which is made up of various submodules that can help attackers spread laterally on a network (such as the ability to install backdoors). PowerTrick meanwhile, another TrickBot tool, has been leveraged for stealthiness, persistence, and reconnaissance inside infected high-value targets such as financial institutions.

Over the past six months, researchers have spotted a wave of cyberattacks using these TrickBot tools, bent on financial profit. The victims of this specific campaign were unnamed but Villadsen said mostly enterprise networks, including PoS systems, were targeted.

“We do not have additional information on the number of organizations targeted in these attacks,” Villadsen told Threatpost. “That said, this development places more enterprises at risk of an attack from ITG08 (FIN6), particularly those processing credit card data, by enabling the group to access networks infected by the TrickBot Trojan. The attacks are likely initiated through malicious spam (malspam) campaigns, which is how TrickBot is typically delivered.  Once an enterprise is infected with the TrickBot Trojan, we expect that access, along with use of the Anchor and PowerTrick malware, are then sold to ITG08, which will then take over the intrusion into the victim network.”

FIN6 Anchor Clues

IBM X-Force draws on these previous analyses by noting several clues pointing to FIN6’s involvement in the attacks that have leveraged Anchor, as well as PowerTrick. The biggest indicator of FIN6’s presence are the loader and backdoor being used in the attacks. The attackers used Anchor and PowerTrick to download and execute a loader, called Terraloader, which then installed a backdoor known as “More_eggs.”

FIN6 has previously utilized the “More_eggs” backdoor in attacks, and the cybercrime group also has an existing relationship with the boutique underground provider known for selling the TerraLoader loader and “More_eggs,” said Villadsen. In addition, FIN6 attacks have previously used tools (like PowerShells) to install “More_eggs”  as opposed to other cybercrime groups which have directly installed “More_eggs” via the initial infection.

“X-Force IRIS has observed ITG08 [FIN6] employ the same tactic whereby it used PowerShell and Windows Management Instrumentation (WMI) to download and execute TerraLoader, then install More_eggs on remote hosts,” said Villadsen. “X-Force IRIS has not observed any other actors who use More_eggs employ this tactic.”

Upon further investigation of the TerraLoader and “More_eggs” samples used in these attacks, researchers said they are “almost certain” they were purchased by FIN6 based on similarities with previous samples used in FIN6 attacks. For instance, the samples used in previous FIN6 campaigns and the samples distributed via the Anchor campaigns all had Command and Control (C2) domains created at the same time from the same email registration address. Also, two of the samples use the same RKey, which is used in part to encrypt communications with the C2.

The campaign utilizing the Anchor malware finally used similar tactics, techniques and procedures (TTPs) as previous FIN6 campaigns, such as its targeting of PoS systems, researchers said: “Further clues connect ITG08 to TrickBot and its operators’ other malware. Generally speaking, the tactics used to deploy More_eggs in victim environments, as well as other threat actor tactics, techniques and procedures (TTPs) used during these Anchor campaigns, are unusually consistent with those used by ITG08,” said Villadsen.

Cybercrime Groups Pair Up

More cyber criminals behind malware strains have been forming partnerships to help them fill in each other’s skill-set gaps. For instance, the operators behind TrickBot and IcedID started a collaboration in 2018 that eventually pulled TrickBot away from Necurs, said researchers. This partnership allowed the two operators to target banking victims and share the profit, by sending IcedID directly as spam via email, and then acting as a downloader for TrickBot. Researchers have also found evidence of a link between global crimeware organization Trickbot and North Korean APT group Lazarus, observing direct collaboration via the Anchor framework.

Researchers say, FIN6’s partnership with the TrickBot gang not only provides the cybercriminal group with new malware and potential access to enterprises infected with the TrickBot Trojan – it also reveals additional evidence of the group’s strategy to partner with other threat actors and malware developers.

“These varied relationships with elite cybercriminal actors and those who sell them tools, access and software allow ITG08 [FIN6] to continue to rely on its strengths in post-exploitation tactics, such as lateral movement, privilege escalation and data exfiltration, and outsource other attack vectors as needed,” said Villadsen.Do you suffer from Password Fatigue? On Wednesday April 8 at 2 p.m. ET join Duo Security and Threatpost as we explore a passwordless future. This FREE webinar maps out a future where modern authentication standards like WebAuthn significantly reduce a dependency on passwords. We’ll also explore how teaming with Microsoft can reduced reliance on passwords. Please register here and dare to ask, “Are passwords overrated?” in this sponsored webinar.

Suggested articles