Anchor
Associated Software Descriptions |
|
Name | Description |
---|---|
Anchor_DNS | (Citation: Cyberreason Anchor December 2019)(Citation: Medium Anchor DNS July 2020) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Anchor has used HTTP and HTTPS in C2 communications.(Citation: Cyberreason Anchor December 2019) |
.004 | Application Layer Protocol: DNS |
Variants of Anchor can use DNS tunneling to communicate with C2.(Citation: Cyberreason Anchor December 2019)(Citation: Medium Anchor DNS July 2020) |
||
Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
Anchor has used cmd.exe to run its self deletion routine.(Citation: Cyberreason Anchor December 2019) |
.004 | Command and Scripting Interpreter: Unix Shell |
Anchor can execute payloads via shell scripting.(Citation: Medium Anchor DNS July 2020) |
||
Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
Anchor can establish persistence by creating a service.(Citation: Cyberreason Anchor December 2019) |
Enterprise | T1564 | .004 | Hide Artifacts: NTFS File Attributes |
Anchor has used NTFS to hide files.(Citation: Cyberreason Anchor December 2019) |
Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
Anchor can self delete its dropper after the malware is successfully deployed.(Citation: Cyberreason Anchor December 2019) |
Enterprise | T1027 | .002 | Obfuscated Files or Information: Software Packing |
Anchor has come with a packed payload.(Citation: Cyberreason Anchor December 2019) |
Enterprise | T1021 | .002 | Remote Services: SMB/Windows Admin Shares |
Anchor can support windows execution via SMB shares.(Citation: Medium Anchor DNS July 2020) |
Enterprise | T1053 | .003 | Scheduled Task/Job: Cron |
Anchor can install itself as a cron job.(Citation: Medium Anchor DNS July 2020) |
.005 | Scheduled Task/Job: Scheduled Task |
Anchor can create a scheduled task for persistence.(Citation: Cyberreason Anchor December 2019) |
||
Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
Anchor has been signed with valid certificates to evade detection by security tools.(Citation: Cyberreason Anchor December 2019) |
Enterprise | T1569 | .002 | System Services: Service Execution |
Anchor can create and execute services to load its payload.(Citation: Cyberreason Anchor December 2019)(Citation: Medium Anchor DNS July 2020) |
Groups That Use This Software |
||
ID | Name | References |
---|---|---|
G0102 | Wizard Spider |
(Citation: Microsoft Ransomware as a Service) |
References
- Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020.
- Grange, W. (2020, July 13). Anchor_dns malware goes cross platform. Retrieved September 10, 2020.
- Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.