According to IBM’s malware reverse engineer Charlotte Hammond,” AnchorMail uses an email-based [command-and-control] server with which it communicates using SMTP and IMAP protocols over TLS. With the exception of the revamped C2 communication mechanism, AnchorMail’s behaviour is very similar to that of its AnchorDNS forefather.”
Even as the TrickBot infrastructure was shut down, the malware’s operators continued to refine and retool their set in order to carry out attacks that resulted in the deployment of Conti ransomware.
The new version of the criminal gang’s AnchorDNS backdoor was dubbed AnchorMail by IBM Security X-Force, which discovered it.
ITG23 aka Wizard Spider, the cybercriminal behind TrickBot is also known for developing the Anchor malware framework, a backdoor reserved for targeting selected high-value people since at least 2018 via TrickBot and BazarBackdoor (aka BazarLoader), an additional implant engineered by the same group.
The group has also benefited from a symbiotic relationship with the Conti ransomware cartel over the years, with the latter using TrickBot and BazarLoader payloads to gain a foothold for deploying the file-encrypting malware.
In the midst of all of this, the AnchorDNS backdoor has received a makeover of its own. While the predecessor used DNS tunnelling to communicate with its C2 servers – a technique that involves abusing the DNS protocol to sneak malicious traffic past an organization’s defences – the newer C++-based version uses specially crafted email.
“AnchorMail sends data to the C2 using the encrypted SMTPS protocol, and IMAPS receives it and adding that the malware establishes persistence by creating a scheduled task that is set to run every 10 minutes, followed by contacting the C2 server to fetch and execute any commands to be run.
Finally the researchers concluded that ,” The discovery of this new Anchor variant adds a new stealthy backdoor for use during ransomware attacks and demonstrates the group’s commitment to updating its malware, [AnchorMail] has only been observed targeting Windows systems. However, given that AnchorDNS has been ported to Linux, it appears likely that a Linux-specific version of AnchorMail will emerge as well.“