According to the experts, the Lazarus APT group was using Anchor, a new TrickBot derivative project developed by the TrickBot crime gang.
“Research by the SentinelLabs’ team led by Vitali Kremez shows that a new TrickBot derivative project called ‘Anchor’ allows TrickBot customers access to higher-level APT-type functionality, tools and methods. These include loading frameworks such as Metasploit, Cobalt Strike and PowerShell Empire for further
The researchers discovered that North Korean hackers are renting access to hacking tools and access to compromised networks from the TrickBot operator
Anchor is a collection of tools combined together into a new attack framework that enables TrickBot customers to target higher-profile victims.
The group was very active bank frauds, ransomware and malware campaigns, and
“During our investigation of Anchor, we discovered the tool PowerRatankba that was previously linked to the purported North Korean group was, in fact, used in
Security experts at Cybereason published an analysis that corroborates the SentinelOne’s attribution, but they didn’t observe the use of the Anchor framework by the Lazarus Group.
“Similar to attacks previously reported by Cybereason, this campaign started with a TrickBot infection and progressed into a hacking operation targeting sensitive financial systems.” reads the report published by Cybereason.
“However, unlike previous operations that focused on causing a massive ransomware infection (Ryuk and LockerGoga) by compromising critical assets like the domain controller, this new operation is focused on targeting Point-of-Sale (PoS) systems. The campaign leverages a newly discovered malware family called Anchor exclusively for high-profile targets.”
The discovery made by the researchers is extremely important for the cybersecurity community, the integration of the tools used by the Lazarus group into the Anchor platform represents a dangerous evolution of the cybercrime-as-a-service evolution.
The integration of the APT approach into the model adopted by the Trickbot gang is scaring and “turned its enterprise into a holistic ecosystem of cybercrime, becoming an essentially new phenomenon.”
The availability of a shared infrastructure for multiple APT groups opens to new attack scenarios in which the attribution is quite impossible and the efficiency of the attack is potentially devastating.
The Anchor platform is composed of different submodules that implement various features to conduct multiple operations such as spreading laterally through a target network, installing
“The Anchor is not simply a new addition to a long list of TrickBot modules and projects, it is a conclusion of many years of the cybercrime evolution, a point at which all puzzles assemble.” concludes the experts.
“The ability to seamlessly integrate the APT into a monetization business model is evidence of a quantum shift. By accomplishing this integration, TrickBot overtly demonstrates that they have achieved a qualitatively new level of a cybercrime enterprise, which was never seen before in magnitude and complexity superseding and dethroning the legacy of its previous inspiration and its playground known as “Business Club.””
(SecurityAffairs – TrickBot Group, hacking)