Wednesday, October 28, 06:52
Home security The TrickBot gang is now a supplier of North Korean hacker malware

The TrickBot gang is now a supplier of North Korean hacker malware

A report released today reveals that hacking units backed by the North Korean government are leasing access to elite hacking tools and access to hacked networks by TrickBot botnet operators.

The revelation comes to confirm a trend seen in recent years - namely that the lines between regular cybercrime and government espionage at national level are blurring. This trend came to light on 2017 when a report revealed how the brain behind GameOver Zeus malware helped Russian intelligence collect sensitive documents from them computers that infects.

But Bogatchev was not an isolated case. Just last week, the US arrested a botnet administrator for Dridex malware, accusing him of doing the same thing - for working with Russia's state-run intelligence service on sensitive searches. data.

These two cases show a direct contact between the creators of popular malware and a country's intelligence gathering.


In fact, these lines have blurred to a much lower level. For years, we have seen national hacking teams adopt malicious products. Instead of developing their own tools, government operators choose to buy malware that is already available for sale online.

This helps them hide "targeted" businesses, committed by a financially motivated hacker.

In a report released today by SentinelOne on cybersecurity, we learn of a new link between a state-backed support team (North Korea's Lazarus team) and TrickBot.

According to the SentinelOne team, the Lazarus group has recently become a client of the TrickBot gang, which is leasing access to already infected systems, along with a new type of attack framework that researchers call Anchor. SentinelOne describes Anchor as "a collection of tools" combined in a new malware strain. The Anchor malware strain is provided as a TrickBot drive.

TrickBot is one of the top three botnets malware today, along with Emotet and Dridex. This is a giant network of computers infected with the TrojanBot trojan. However, TrickBot is also a Cybercrime-as-a-Service business. TrickBot gang leases access to TrickBot-infected computers to other malicious gangs programs.

These gangs range from ransomware operators to online spammers, scammers and more. Tenants can use the TrickBot trojan to install their own malware or one of the available TrickBot modules, depending on the functions they wish to perform on infected hosts.

In reports released today by Cybereason and SentinelOne, the two companies say that Anchor is a new TrickBot unit built for a specific market, especially for them hackers that want to remain undetected in the infected systems.

TrickBot is a tool used in attacks targeting large companies, where hackers have to remain undetected for weeks or months - while stealing data - and even long after the invasion ends.

SentinelOne describes Anchor as "an all-in-one attack framework designed to attack business environments". It consists of different subformers that provide the various characteristics needed for targeted attacks, but are of no use to other TrickBot customers.

At first glance, Anchor looks like a tool that the TrickBot team developed for hacker groups interested in financial espionage or for POS malware executives.

SentinelOne said it was linking North Korea's Lazarus group attacks with TrickBot and the new Anchor attack framework.

In its report released today, SentinelOne stated that it has found a case where the Lazarus group appears to have leased access to an infected system via the TrickBot botnet and then used the Attack Anchor (Module TrickBot) framework to install PowerRatankba, a network PowerShell backdoor from a company that has been hacked.

SentinelOne hasn't worked out what the Lazarus group did on the hacked business network, but North Korean hackers are known to attack cyberspace financially motivated. However, the North Korean hacker was not the only customer of Anchor.

Cybereason did not see the Lazarus group using Anchor, but instead saw "a new wave of targeted campaigns against the financial, construction and retail businesses that began in early October" where Anchor was used.

"Unlike the previously mentioned Trickbot related attacks that result in massive ransomware infection, this new wave of attacks focuses on the theft of sensitive information from POS (Point of Sale) systems and other sensitive ones resources in the networks of victims, network, ”said the Cybereason team.

"These attacks further underline the risk of malware infections that can sometimes be underestimated due to their common condition and their high volume," the researchers added.

"It is important to remember that when an endpoint becomes infected with malware, it depends on the attackers' decision to continue."


Please enter your comment!
Please enter your name here

Teo Ehc
Teo Ehc
Be the limited edition.


Among Us: players were hit by a spam attack

InnerSloth, creator of the popular game Among Us, faced an attack that affected its players last week. More specifically, some ...

Data breach in a law firm exposes data of Google employees

Immigration law firm Fragomen, Del Rey, Bernsen & Loewy, LLP revealed that it suffered a data breach that led to the leakage of personal data ...

How to install a .watchface file on Apple Watch

The Apple Watch lets you customize the faces of the watch to display all kinds of useful information. But did you know ...

The five biggest data breaches of the 21st century

Data is becoming more and more sought after as our daily lives become more digitized. The technology giants that monopolize data are ...

Microsoft is limiting the availability of Windows 10 20H2

Microsoft is currently restricting the availability of Windows 10 20H2 to provide all users who want to ...

How to enable the new Chrome Read more feature

The latest version of Google Chrome browser, v86, released earlier this month, contains a secret feature called Read ...

How to choose a custom color for the Start menu

Starting with the October 2020 update, Windows 10 is the default on a theme that removes bright colors from ...

NASA telescope discovers drinking water on the moon

Eleven years ago, a spacecraft changed our view of the moon forever. The data collected by ...

Microsoft: Enhances password spray attack detection capabilities

Microsoft has significantly improved the ability to detect password spray attacks in the Azure Active Directory (Azure AD) and has reached the point ...

How to prevent companies from finding our phone number

In the age of advertising, the more user information is known the more convenient it is for companies. And in particular, the ...