Newly found evidence suggests that two infamous cybercrime groups, FIN6 and the operators behind banking trojan TrickBot, have teamed up to target several organizations with TrickBot’s malware framework called “Anchor.”
Anchor malware framework has been making rounds since at least 2018 and appears to be tightly connected to TrickBot and is likely created by the same malware authors that work on TrickBot, said researchers with IBM X-Force in their new report. Anchor is “an all-in-one attack framework,” which contains various submodules designed to help attackers spread laterally on a network (such as the ability to install backdoors).
Active since at least 2015, the FIN6 group (also known as “ITG08”) primarily targets point-of-sale (POS) machines in brick-and-mortar retailers and companies in the hospitality sector across the U.S. and Europe, while TrickBot is a malware strain that has started out as a banking trojan, but over the years has evolved into a multipurpose malware.
Over the past six months, the researchers have spotted a wave of cyberattacks using the Anchor framework and another TrickBot’s tool, PowerTrick (a PowerShell-based backdoor), aimed at enterprise networks, including POS systems, following initial infection by the TrickBot trojan.
The clues indicating FIN6’s involvement are the loader and backdoor being used in the attacks, namely the Terraloader loader, and a backdoor known as “More_eggs,” both of which have been previously observed in the past attacks by FIN6.
“Further clues connect ITG08 to TrickBot and its operators’ other malware. Generally speaking, the tactics used to deploy More_eggs in victim environments, as well as other threat actor tactics, techniques and procedures (TTPs) used during these Anchor campaigns, are unusually consistent with those used by ITG08,” the report reads.
“On a final note, X-Force IRIS is unaware of other threat actors deploying the combination of TerraLoader, More_eggs and Metasploit shellcode loaders in the manner described above. This activity, combined with the additional TTPs attributed to ITG08, such as the use of Metasploit, Cobalt Strike and AdFind while targeting POS systems, leads us to conclude with confidence that ITG08 is one of the threat actors using TrickBot’s PowerTrick and the Anchor malware framework.”