North Korea’s infamous Lazarus Group has been using a new stealth module developed by the group behind TrickBot for covert data theft, according to new research.
The Anchor module is a framework of tools designed “for targeted data extraction from secure environments and long-term persistency,” according to SentinelOne.
It includes memory scrapers, POS malware, backdoor installers and submodules enabling lateral movement, among other capabilities.
“The Anchor project combines a collection of tools — from the initial installation tool to the cleanup meant to scrub the existence of malware on the victim machine. In other words, Anchor presents as an all-in-one attack framework designed to compromise enterprise environments using both custom and existing toolage,” the firm’s SentinelLabs team wrote.
“Logically, this tool will be a very tempting acquisition for high-profile, possibly nation-state groups. However, the Anchor is also be used for large cyber heists and point-of-sale card theft operations leveraging its custom card scraping malware. Among the nation-state groups, only a few are interested in both data collection and financial gain, and one of them is Lazarus.”
Linking the two groups is the PowerRatankba PowerShell backdoor, previously associated with Lazarus but which is actually part of Anchor.
Lazarus isn’t the only customer of TrickBot’s Anchor module; it’s also being used in a “wave of targeted campaigns against financial, manufacturing and retail businesses” designed to steal card data from POS and other systems, according to Cybereason.
Those researchers pointed to a new Anchor_DNS variant which uses DNS tunneling to communicate covertly with C2 servers.
TrickBot is one of the most successful botnets ever built, used in a range of attacks, from banking trojans to ransomware and data theft. Threat intelligence firm Blueliv revealed last week that it detected a 283% increase in detections of the botnet across Q2-Q3 this year.