US Healthcare providers have been warned that Trickbot malware and ransomware is targeting the sector. Trickbot emerged in 2016 as a banking trojan but evolved into a multi-purpose malware downloader that infected systems that were sold on to other criminal groups as a service. Trickbot developers created Anchor_DNS, a tool for sending and receiving data from victim machines using Domain Name System (DNS) tunneling.
The Anchor_DNS backdoor forces infected PCs to communicate with command-and-control servers over DNS to bypass network defense products and hide malicious communications with legitimate DNS traffic. Anchor_DNS uses a single-byte XOR cipher to encrypt its communications, which have been observed using key 0xB9. Once decrypted, the string Anchor_DNS can be found in the DNS request traffic. CISA has now listed several indicators of compromise that security teams should look for. It notes that the Trickbot malware for Windows copies itself as an executable file with a 12-character (includes .exe), randomly generated filename – for example, mfjdieks.exe – and places this file in the directories, C:\Windows\, C:\Windows\SysWOW64\, and C:\Users\[Username]\AppData\Roaming\.
https://www.zdnet.com/article/fbi-warning-trickbot-and-ransomware-attackers-plan-big-hit-on-us-hospitals/#ftag=RSSbaffb68
Leave a Reply
You must be logged in to post a comment.