Thursday, January 21, 19:37
Home security The TrickBot gang is now a supplier of North Korean hacker malware

The TrickBot gang is now a supplier of North Korean hacker malware

A report released today reveals that hacking units backed by the North Korean government are leasing access to elite hacking tools and access to hacked networks by TrickBot botnet operators.

The revelation confirms a trend observed in recent years - that the lines between cybercrime and government spying operations nationwide are blurred. This trend came to light in 2017 when a report revealed how the brain behind GameOver Zeus malware helped Russian intelligence collect sensitive documents from computers that infects.

But Bogatchev was not an isolated case. Just last week, the US arrested the administrator of the malware software botnet Dridex, accusing him of the same thing - of cooperating with the Russian state intelligence service in the search for sensitive data.

These two cases show a direct contact between the creators of popular malware and a country's intelligence gathering.


In fact, these lines have blurred to a much lower level. For years, we have seen national hacking teams adopt malicious products. Instead of developing their own tools, government operators choose to buy malware that is already available for sale online.

This helps them to hide "targeted" businesses, committed by financially motivated hackers.

In a report released today by SentinelOne on cybersecurity, we learn of a new link between a state-backed support team (North Korea's Lazarus team) and TrickBot.

According to the SentinelOne team, the Lazarus group has recently become a customer of the TrickBot gang, from which it leases access to already infected systems, along with a new type of attack framework that researchers call Anchor. SentinelOne describes Anchor as "a collection of tools" combined with a new strain of malware. The Anchor malware is supplied as a TrickBot unit.

TrickBot is one of the top three botnets malware today, along with Emotet and Dridex. This is a giant network of computers infected with the TrojanBot trojan. However, TrickBot is also a Cybercrime-as-a-Service business. TrickBot gang leases access to TrickBot-infected computers to other malicious gangs programs.

These gangs range from ransomware operators to online spammers, scammers and more. Tenants can use the TrickBot trojan to install their own malware or one of the available TrickBot modules, depending on the functions they wish to perform on infected hosts.

In reports released today by Cybereason and SentinelOne, the two companies say that Anchor is a new TrickBot unit built for a specific market, especially for them hackers that want to remain undetected in the infected systems.

TrickBot is a tool used in attacks on large companies, where hackers have to be detected for weeks or months - while stealing data - and even long after the intrusion is over.

SentinelOne describes Anchor as "an all-in-one attack framework designed to attack business environments." It consists of different modifiers that provide the different characteristics needed for targeted attacks, but are of no use to other TrickBot customers.

At first glance, Anchor looks like a tool that the TrickBot team developed for hacker groups interested in financial espionage or for POS malware executives.

SentinelOne said it was linking North Korea's Lazarus group attacks with TrickBot and the new Anchor attack framework.

In its report released today, SentinelOne stated that it has found a case where the Lazarus group appears to have leased access to an infected system via the TrickBot botnet and then used the Attack Anchor (Module TrickBot) framework to install PowerRatankba, a network PowerShell backdoor from a company that has been hacked.

SentinelOne hasn't worked out what the Lazarus group did on the hacked business network, but North Korean hackers are known to attack cyberspace financially motivated. However, the North Korean hacker was not the only customer of Anchor.

Cybereason did not see the Lazarus group using Anchor, but instead saw "a new wave of targeted anti-financial, construction and retail campaigns launched in early October" where Anchor was used.

"Unlike the previously reported Trickbot attacks that result in massive ransomware infection, this new wave of attacks focuses on stealing sensitive information from POS (Point of Sale) systems and other sensitive ones resources in the victims' networks, a network, "said the Cybereason team.

"These attacks further underscore the risk of malignant product infections that can sometimes be underestimated due to their common condition and large volume," the researchers added.

"It is important to remember that when an endpoint is infected with malware, it depends on the attackers' decision to continue."


Please enter your comment!
Please enter your name here

Teo Ehc
Teo Ehc
Be the limited edition.


Mac: How to see which model you have and when it was released

When you need support for your Mac - or want to install some kind of upgrade - you usually need to know the exact ...

Bill Gates: Will he work with Biden on COVID-19 / climate change?

Microsoft co-founder Bill Gates said on Twitter that he is looking forward to working with the new US President, Joe Biden, and ...

What are the rumors circulating about the iPhone 13?

Apple iPhone 13 will have a redesigned Face ID system that will have a smaller notch at the top of the screen, ...

Biden: How was the political transition in the US captured on social media?

As Joe Biden was sworn in as President of the United States, this important political transition was captured on popular social media. On January 20, ...

CentOS ceases to be supported but RHEL is offered for free

Last month, Red Hat caused a great deal of concern in the Linux world when it announced the discontinuation of CentOS Linux.

Microsoft Office 365 employee passwords leaked online!

A new large-scale phishing campaign targeting global organizations has been found to bypass Microsoft Office 365 Advanced Threat Protection (ATP) and ...

COSMOTE and Microsoft provide new cloud solutions for businesses

COSMOTE and Microsoft expand their cooperation, offering even more advanced and high quality cloud solutions, in large and small ...

Cyber ​​attacks in Eastern Europe are on the rise!

The cyber-attacks that have taken place in many US government agencies and companies in recent months have caused concern in the developing countries of ...

Tesla reduces the prices of the Model 3 in Europe

Tesla has reduced the prices of the Model 3 in many European markets, which reductions could be partly linked ...

iOS, Android, XBox users in the crosshairs of a new malvertising campaign

Recently a new malvertising campaign was discovered that targets users of mobile and other connected devices and uses effective ...