Profile picture
, 9 tweets, 3 min read
My Authors
Read all threads
TrickBot's new Linux malware covertly infects Windows devices - @LawrenceAbrams
bleepingcomputer.com/news/security/…
TrickBot has ported their Windows Anchor_DNS malware to a native Linux malware executable that can also be used to infect other Windows devices on the network.
TrickBot's Anchor platform is used for high-value/high-impact targets where ransomware may be deployed, or more APT-like attacks targeting point-of-sale and financial systems.
labs.sentinelone.com/the-deadly-pla…
hello.global.ntt/zh-cn/insights…
cybereason.com/blog/dropping-…
Recently @professor__plum discovered that TrickBot had ported their Anchor_DNS backdoor, which communicates with the C2 via DNS, to a Linux malware called Anchor_Linux. This malware is a backdoor dropper, but also includes a method to infect Windows devices on the network.
Embedded in the Linux malware exec is a Windows malware executable. Anchor_Linux will copy this executable to Windows devices using SMB and . Image
Anchor_Linux will then create a service and use it start the copied malware on the Windows device. This is done using the Service Control Manager Remote protocol and the SMB SVCCTL named pipe.
This allows Linux devices to be used to covertly spread TrickBot throughout an organization's Windows devices. Organizations that use a mixed OS environment need to make sure that Linux devices and IoT devices running Linux are properly monitored.
For further analysis, you can also see the tweets by @VK_Intel @IntezerLabs
Intezer's info is here:
Missing some Tweet in this thread? You can try to force a refresh.

Keep Current with BleepingComputer

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @BleepinComputer see all

Profile picture
BleepingComputer
@BleepinComputer
Windows 10 Alert: Defragger bug defrags SSD Drives too often - @LawrenceAbrams
bleepingcomputer.com/news/microsoft…
The general consensus has always been that you should not defrag an SSD drive to prevent unnecessary wear and tear.
Based on an article by Microsoft's Scott Hanselman, Windows 10 performs a defrag of SSDs once a month if volume snapshots are enabled.
hanselman.com/blog/TheRealAn…
Read 8 tweets
Profile picture
BleepingComputer
@BleepinComputer
List of well-known web sites that port scan their visitors - @LawrenceAbrams
bleepingcomputer.com/news/security/…
Last week we reported on eBay port scanning their visitor's computer for remote access programs. These scans are part of an anti-fraud product and are most likely used to find compromised computers making fraudulent purchases.
bleepingcomputer.com/news/security/…
While anti-fraud measures are important for any e-commerce site, many felt that a site port scanning your computer when you visit it was too intrusive.
Read 8 tweets
Profile picture
BleepingComputer
@BleepinComputer
Zoom Client Leaks Windows Login Credentials to Attackers - by @LawrenceAbrams
bleepingcomputer.com/news/security/…
Security researchers @_g0dmode and @hackerfantastic revealed tonight that the Zoom client is vulnerable to UNC injection that can be used to steal Windows login credentials or attempt to launch a program.
When using Zoom's built-in chat feature, users can send URLs that are automatically converted into clickable hyperlinks. It was also discovered that UNC paths can also be sent and automatically converted to clickable links.
Read 11 tweets

Embed code for your website

×
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!