By BlueVoyant Strategic Intelligence team
BlueVoyant has discovered and observed new evolutions in the TTPs (tactics, techniques, and procedures) of TrickBot malware, in particular regarding its AnchorDNS variant. These observations have shown that:
1. Following its takedown in October 2020, AnchorDNS was up and operational sooner than previously thought – after only one month.
2. In its new incarnation, AnchorDNS is using the campaign moniker /stickseed/
In October 2020, Microsoft announced the takedown of TrickBot. TrickBot is a particularly nasty and prominent malware, the subject of multiple U.S. government advisories and noted for its attacks on targets such as schools and especially hospitals. Despite the full force of the FBI, Microsoft, and FS-ISAC, AnchorDNS – a core TrickBot variant – rebounded rapidly.
Cybersecurity researchers first noticed AnchorDNS with new infrastructure and signaling again in March 2021, only four months later.
New BlueVoyant research can now confirm that AnchorDNS was in fact already set up and being tested sooner, indeed almost immediately following the global takedown. Using our insight into AnchorDNS TTPs, BlueVoyant tracked the evolution of AnchorDNS, observing the malware prior to the October 2020 takedown and then identifying and carefully watching new C2 domains as they sprang up. In addition, we used custom, in-house developed analytics and relied on our unparalleled insight into global internet traffic. BlueVoyant has followed the malware as it migrated from AnchorDNS to a new moniker, /stickseed/. We have watched as the DNS C2 has also evolved with a more complex channel encoding scheme and, of course, new C2 domains.
Through our third-party risk monitoring and threat intelligence services, this allows BlueVoyant to see companies affected by TrickBot before they know themselves – and help prevent or remediate infection.
AnchorDNS was first observed in August 2018, and was likely active prior. AnchorDNS is typically used by Trickbot actors when targeting high-profile or high-value victims. Once deployed, Trickbot – or sometimes Bazar – malware has infected a victim system, AnchorDNS uses DNS tunneling to exfiltrate data and communicate with C2 servers. DNS tunneling is a “low and slow” form of communication, which takes advantage of the need to allow DNS through border protection devices to command and control malware in a protected enclave.
In October 2020, Microsoft led a coordinated technical and legal takedown of TrickBot infrastructure. Partnering with U.S. law enforcement, multiple ISPs, multiple information security companies, and the FS-ISAC, among others, Microsoft wiped out almost all of of TrickBot’s global C2 infrastructure. The effect was instantaneous, decisive, and short-lived. Four months later, despite the combined forces of law enforcement and global ISPs and in the face of successive court injunctions, reporting from Digital Forensic and Incident Response (DFIR) confirmed the discovery of newly-constituted and active AnchorDNS infrastructure.
More changes to AnchorDNS infrastructure and TTPs were reported again, as soon as July 2021. These included changes to the C2 communication protocols and discovery of a new component, “AnchorAdjuster.” It is clear that not only was AnchorDNS active again but continuing a process of rapid evolution since the 2020 takedown in order to stay ahead of detection.
BlueVoyant developed an analytic to detect AnchorDNS C2 protocols. These analytic allowed researchers to detect AnchorDNS behavior and use that behavior to narrow in on IOCs, specifically C2 domains and associated nameservers.
DFIR noted two DNS C2 domains, xyskencevli[.]com and sluaknhbsoe[.]com, and kalarada[.]com, farfaris[.]com, omelezatava[.]com were published on Twitter. BlueVoyant has identified six additional C2 domains, as set forth below. Not surprisingly, the registrations are redacted and are sometimes clustered in time.
Because the name servers for these domains can communicate using a specific encoding and protocol associated with stickseed’s command and control, DNS communications with these domains can be considered indicators of compromise
This content was originally published here.