AnchorDNS Comes Ashore: Evolutions in the TTPs of TrickBot

1. Following its takedown in October 2020, AnchorDNS was up and operational sooner than previously thought - after only one month.

2. In its new incarnation, AnchorDNS is using the campaign moniker /stickseed/

In October 2020, Microsoft announced the takedown of TrickBot. TrickBot is a particularly nasty and prominent malware, the subject of multiple U.S. government advisories and noted for its attacks on targets such as schools and especially hospitals. Despite the full force of the FBI, Microsoft, and FS-ISAC, AnchorDNS - a core TrickBot variant - rebounded rapidly.

Cybersecurity researchers first noticed AnchorDNS with new infrastructure and signaling again in March 2021, only four months later.

New BlueVoyant research can now confirm that AnchorDNS was in fact already set up and being tested sooner, indeed almost immediately following the global takedown. Using our insight into AnchorDNS TTPs, BlueVoyant tracked the evolution of AnchorDNS, observing the malware prior to the October 2020 takedown and then identifying and carefully watching new C2 domains as they sprang up. In addition, we used custom, in-house developed analytics and relied on our unparalleled insight into global internet traffic. BlueVoyant has followed the malware as it migrated from AnchorDNS to a new moniker, /stickseed/. We have watched as the DNS C2 has also evolved with a more complex channel encoding scheme and, of course, new C2 domains.

Through our third-party risk monitoring and threat intelligence services, this allows BlueVoyant to see companies affected by TrickBot before they know themselves - and help prevent or remediate infection.

The Background

AnchorDNS was first observed in August 2018, and was likely active prior. AnchorDNS is typically used by Trickbot actors when targeting high-profile or high-value victims. Once deployed, Trickbot - or sometimes Bazar - malware has infected a victim system, AnchorDNS uses DNS tunneling to exfiltrate data and communicate with C2 servers. DNS tunneling is a “low and slow” form of communication, which takes advantage of the need to allow DNS through border protection devices to command and control malware in a protected enclave.

In October 2020, Microsoft led a coordinated technical and legal takedown of TrickBot infrastructure. Partnering with U.S. law enforcement, multiple ISPs, multiple information security companies, and the FS-ISAC, among others, Microsoft wiped out almost all of of TrickBot’s global C2 infrastructure. The effect was instantaneous, decisive, and short-lived. Four months later, despite the combined forces of law enforcement and global ISPs and in the face of successive court injunctions, reporting from Digital Forensic and Incident Response (DFIR) confirmed the discovery of newly-constituted and active AnchorDNS infrastructure.

More changes to AnchorDNS infrastructure and TTPs were reported again, as soon as July 2021. These included changes to the C2 communication protocols and discovery of a new component, “AnchorAdjuster.” It is clear that not only was AnchorDNS active again but continuing a process of rapid evolution since the 2020 takedown in order to stay ahead of detection.

AnchorDNS Returns

BlueVoyant developed an analytic to detect AnchorDNS C2 protocols. These analytic allowed researchers to detect AnchorDNS behavior and use that behavior to narrow in on IOCs, specifically C2 domains and associated nameservers.

DFIR noted two DNS C2 domains, xyskencevli[.]com and sluaknhbsoe[.]com, and kalarada[.]com, farfaris[.]com, omelezatava[.]com were published on Twitter. BlueVoyant has identified six additional C2 domains, as set forth below. Not surprisingly, the registrations are redacted and are sometimes clustered in time.

Because the name servers for these domains can communicate using a specific encoding and protocol associated with stickseed’s command and control, DNS communications with these domains can be considered indicators of compromise

Observations of these domains shows that AnchorDNS infrastructure was up and testing - if not actively targeting victim networks - as soon as November 11, 2020, only one month after the global takedown. This means that while the global takedown successfully burned existing AnchorDNS infrastructure, the organization behind the malware was able to quickly adapt and field new infrastructure.

Hackelia Virginiana

Once BlueVoyant was able to confirm C2 protocols, and then use that analytic to confirm new infrastructure, we watched as AnchorDNS continued to evolve throughout late 2020 and 2021. This led the team to discover a new AnchorDNS infrastructure: one that used the string /stickseed/ instead of /anchor_dns/

Stickseed is a prickle burr; it is distributed by prickly seeds that cling to fur or clothing, and quickly, and propagates rapidly. For that reason, stickseed is a major pest.

Using our knowledge of AnchorDNS-now-Stickseed, our Third-Party Cyber Risk Management Services were able to identify a Stickseed attack in the supply chain of one of our client businesses, a major manufacturing company. The infection was effectively blocked, but the experience prompted a further question. Are there public examples of successful TrickBot or AnchorDNS infections that we could trace to the new stickseed infrastructure?

Without disclosing names, BlueVoyant retroactively looked at a large public-sector institution, which had publicly announced a ransomware attack linked to TrickBot. BlueVoyant tracks and blacklists a variety of threats like Stickseed/AnchorDNS in support of its global security offerings for Third-Party Risk and Managed Security Services. Thanks to this data, we were able to monitor the victim organization for communication with those blacklisted assets - including the new Stickseed domains.

Day 0 in the graph corresponds to the victim’s first public statement that the systems had been hacked. BlueVoyant’s blacklist interaction scoring mechanisms (the yellow line that plummets to zero) had identified ransomware beacons 13 days previous. This suggests the victim might have reacted better and been able to mitigate infection via improved threat awareness and internal monitoring using identification techniques akin to BlueVoyant’s services.

Amusingly, the graph also suggests that inbound malicious activity reduced once the infection was successful. No point in continuing to try to pick the unlocked door.

Conclusion

A core capability for effective cybersecurity is staying ahead of threat actors as they adapt. The AnchorDNS actors proved remarkably resilient and adaptable: the combined forces of U.S. law enforcement; multinational ISPs; ISACs; and court injunctions were not enough to disrupt the malware for more than a month. This shows just how organized, well-resourced, and persistent threat actors are. If they lose infrastructure, they can rebuild it; when they rebuild it, they can make sure their TTPs constantly evolve to stay one step ahead of their pursuers.

Nevertheless, BlueVoyant’s active tracking and analysis of the malware’s infrastructure and TTPs are proof that effective cybersecurity can prevent and contain even the most persistent threat actors. Through a combination of manual analysis - decoding C2 protocols, and then generating new, purpose-built analytics - and automated detection, BlueVoyant is able to continuously monitor and stay ahead of the near-constant evolution of advanced threat actors.

See how BlueVoyant can help or contact us for more information.