A report published today reveals that North Korea’s government-backed hacking units are renting access to elite hacking tools and access to hacked networks from the operators of the TrickBot botnet.
The revelation comes to confirm a trend observed in recent years — namely that the lines between regular cybercrime and nation-state cyber-espionage operations are blurring.
This trend came to light in 2017 when a report revealed how the mastermind behind the GameOver Zeus malware botnet had been helping Russian intelligence gather sensitive documents from the computers he was infecting.
But Bogatchev wasn’t an isolated case. Just last week, the US charged the administrator of the Dridex malware botnet, accusing him of the same thing — of collaborating with Russia’s state intelligence in their search for sensitive data.
These two cases show a direct contact between the creators of popular malware and a country’s intelligence apparatus.
In reality, these lines have been blurring at a much lower level. For years, we’ve seen nation-state hacking groups slowly adopt commodity malware. Instead of developing their own tools, state-sponsored operators choose to buy malware that’s already available for sale online.
This helps them hide “targeted” operations in a large stream of mundane infections, perpetrated by financially-motivated hackers.
In a report published today by cyber-security firm SentinelOne, we learn of a new connection between a state-sponsored hacking group (North Korea’s Lazarus Group) and a mundane malware operation (TrickBot).
According to the SentinelOne team, the Lazarus Group has recently become a customer of the TrickBot gang, from whom they rent access to already infected systems, along with a new type of attack framework that researchers are calling Anchor.
The TrickBot cybercrime empire
SentinelOne describes Anchor as “a collection of tools” combined together into a new malware strain.
The Anchor malware strain is provided as a TrickBot module.
TrickBot is one of today’s top three malware botnets, together with Emotet and Dridex. It is a gigantic network of computers that have been infected with the TrickBot trojan.
However, TrickBot is also a Cybercrime-as-a-Service operation. The TrickBot gang rents access to TrickBot-infected computers to other malware gangs.
These gangs vary from ransomware operators to online spammers, fraudsters, and more. Renters can use the TrickBot trojan to install their own malware or one of the available TrickBot modules, depending on what operations they want to carry out on infected hosts.
Meet Anchor, TrickBot’s most advanced module
In reports published today by both Cybereason and SentinelOne, the two companies say that Anchor is a new TrickBot module that was built for a specific market niche, namely for hackers looking to remain silent and undetected on the systems they infect.
Anchor is TrickBot’s attempt at creating a module around stealth features first. It’s a tool to be used in attacks targeted at large corporations, where the hackers need to remain undetected for weeks or months — while they steal data –, and even long after the intrusion ended.
SentinelOne described Anchor as “an all-in-one attack framework designed to attack enterprise environments.”
It consists of different submodules that provide the various features needed in targeted attacks, but which have no usefulness for TrickBot’s other customers.
This includes Anchor submodules to spread laterally through a network, the ability to install backdoors for future access, features to target Point-of-Sale (POS) systems and scrape RAM memory for card data, and the ability to clean systems after an infection to hide an intruder’s tracks.
At a first glance, Anchor looks like a tool the TrickBot gang developed for hacker groups interested in economic espionage or for the operators of POS malware strains.
It is very unlikely that the TrickBot gang developed the stealthy TrickBot Anchor module for nation-state hacking groups; however, it did found a client in their ranks.
SentinelOne said it linked attacks carried out by North Korea’s Lazarus Group to TrickBot and its new Anchor attack framework.
In its report published today, SentinelOne said they found a case where Lazarus Group appears to have rented access to an infected system through the TrickBot botnet and then used the Anchor attack framework (TrickBot module) to install PowerRatankba, a PowerShell backdoor, on the network of a hacked company.
SentinelOne didn’t elaborate what Lazarus Group was doing on the network of the hacked company, but North Korean hackers are known to dabble in both cyber-espionage and financially-motivated attacks.
Earlier this year, the US Treasury imposed sanctions on entities associated with three North Korean hacking groups that have been caught stealing money from banks and cryptocurrency exchanges to finance the country’s weapons program.
Nonetheless, North Korean hackers weren’t Anchor’s only customers.
Cybereason didn’t see the Lazarus Group using Anchor, but, instead, they saw “a new wave of targeted campaigns against financial, manufacturing and retail businesses that began in early October” where Anchor had been used.
“Unlike previously reported Trickbot-related attacks resulting in mass ransomware infection, this new wave of attacks focuses on stealing sensitive information from POS (Point-of-Sale) systems and other sensitive resources in the victims’ networks, by compromising critical assets in the network,” the Cybereason team said.
“These attacks further stress the danger that lies within commodity malware infections that can sometimes be underestimated, due to their commonality and high volume,” researchers added.
“It is important to remember that once an endpoint is infected with a certain malware, it is up to the attackers’ decision how to carry on.”