ROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE
Contents
Introduction
Research By: Assaf Dahan, Lior Rochberger, Eli Salem, Mary Zhao, Niv Yona, Omer Yampel and Matt Hart
Cybereason Nocturnus is monitoring a new wave of targeted campaigns against financial, manufacturing and retail businesses that began in early October. Similar to attacks previously reported by Cybereason, this campaign started with a TrickBot infection and progressed into a hacking operation targeting sensitive financial systems.
However, unlike previous operations that focused on causing a massive ransomware infection (Ryuk and LockerGoga) by compromising critical assets like the domain controller, this new operation is focused on targeting point of sale (PoS) systems. The campaign leverages a newly discovered malware family called Anchor exclusively for high-profile targets.
Learn more about additional attacks that leverage TrickBot.
This research focuses on the following aspects of the TrickBot-Anchor attack:
- Anatomy of the Attack: A step-by-step anatomy of the attacks, including infection vectors and a dissection of the tools and techniques used by the …
Research By: Assaf Dahan, Lior Rochberger, Eli Salem, Mary Zhao, Niv Yona, Omer Yampel and Matt Hart
Cybereason Nocturnus is monitoring a new wave of targeted campaigns against financial, manufacturing and retail businesses that began in early October. Similar to attacks previously reported by Cybereason, this campaign started with a TrickBot infection and progressed into a hacking operation targeting sensitive financial systems.
However, unlike previous operations that focused on causing a massive ransomware infection (Ryuk and LockerGoga) by compromising critical assets like the domain controller, this new operation is focused on targeting point of sale (PoS) systems. The campaign leverages a newly discovered malware family called Anchor exclusively for high-profile targets.
Learn more about additional attacks that leverage TrickBot.
This research focuses on the following aspects of the TrickBot-Anchor attack:
- Anatomy of the Attack: A step-by-step anatomy of the attacks, including infection vectors and a dissection of the tools and techniques used by the …
IoC
199.217.115.53
23.95.97.59
3ed09498214d93c9ec14a15286546d242ad58943
46c595e580719a4c54f55b4041f81d6e50ab4062
4bba60ff11f8b150b004960c658ad74a707ebcea
55C60B5D13499341D72F5A34C632CFD9
5f1ad1787106de9725005d8da33d815d0994ee83
6E8516CA48318FB2904E2027B5350B26
9ebb541dcb24d564448a6f5e00c613b73eba7148
Bd26238fb7d7e16ea79073d882bba00d34dd859c
D4CB942AA18EFF519DCBCAE88A0A99FB
F3683a0c12154e8bf44d9d942db3eac9e930e7a5
b388243bf5899c99091ac2df13339f141659bbd4
e5dc7c8bfa285b61dda1618f0ade9c256be75d1a
e75983b073ff0632e35e237f6622466c2699687c
http://199.217.115.53
http://23.95.97.59
http://91.12.89.129
http://chishir.com
http://northracing.net
https://northracing.net/?a=irs&x=
23.95.97.59
3ed09498214d93c9ec14a15286546d242ad58943
46c595e580719a4c54f55b4041f81d6e50ab4062
4bba60ff11f8b150b004960c658ad74a707ebcea
55C60B5D13499341D72F5A34C632CFD9
5f1ad1787106de9725005d8da33d815d0994ee83
6E8516CA48318FB2904E2027B5350B26
9ebb541dcb24d564448a6f5e00c613b73eba7148
Bd26238fb7d7e16ea79073d882bba00d34dd859c
D4CB942AA18EFF519DCBCAE88A0A99FB
F3683a0c12154e8bf44d9d942db3eac9e930e7a5
b388243bf5899c99091ac2df13339f141659bbd4
e5dc7c8bfa285b61dda1618f0ade9c256be75d1a
e75983b073ff0632e35e237f6622466c2699687c
http://199.217.115.53
http://23.95.97.59
http://91.12.89.129
http://chishir.com
http://northracing.net
https://northracing.net/?a=irs&x=