Anchor is a family of malicious applications used for high-profile targets. The earliest observed sample was found in August 2018, while the most recent one was discovered in November 2019. Researchers say that hackers behind the latest campaign, in which such malicious applications were noticed, focused on attacking PoS (Point of Sale) systems. Also, it is vital to mention that the infection is linked to another threat called TrickBot. Further, in this text, we explain how these two infections are linked, how they work, and how they might be spread. For users who not only wish to learn more about the malware but also find out how to remove Anchor, we advise both reading our article and checking the deletion instructions available below it. Of course, eliminating such a threat manually might be a difficult task, and, as we will explain further in the text, we cannot guarantee that our provided deletion steps will work. Therefore, it might be best to employ a reliable security tool.
Researchers say that TrickBot’s victims receive an email with a link leading to a file uploaded on Google Docs. It might be called “Annual Bonus Report.doc” or similarly. Trying to open this malicious document should download the TrickBot downloader, which may pretend to be a Microsoft Word document. To confuse the victim, the file should show a notification asking to update his Microsoft Word if he wishes to view the document. In reality, this file is not a document, and opening it initiates the malware’s downloading and its injection into the svhost.exe process. Once on a system, TrickBot may establish an Internet connection, record sensitive information, and then send it to its creators’ server. Also, it is vital to mention that malware can also drop more threats to a system. This is how it is connected to Anchor; it can download it as a secondary payload.
As for the Anchor abilities, they depend on the malicious application’s type. There are three known versions of it that are called Anchor, Old Anchor_DNS, and New Anchor_DNS. For instance, the first two versions can destruct themselves. Usually, hackers build in such a function to hide their tracks; for example, they can make a threat delete itself as soon as it gathers and delivers the information they need. The Anchor_DNS versions work as backdoor infections that use the DNS protocol to communicate with the hackers’ server. According to specialists, the threat is still undergoing development, which means cybercriminals are still working on its code, and there might appear even more versions of it. Currently, it is known that after connecting to the server, the backdoor can transfer data, receive the commands, and download additional payload. The fact that it can void detections makes it sound even more vicious.
Since the malicious applications were noticed to be used to attack PoS systems, researchers suspect that the FIN6 group could be behind this campaign. This group of hackers was linked to older TrickBot attacks. Also, it is known that they are financially-motivated, which is why an attack on PoS systems from them would not be a surprise. Needless to say that financial institutions and companies that provide or use PoS systems should be aware of these cybercriminals and their malicious applications. There are a few things that we could recommend for companies that might be targeted with Anchor and TrickBot or similar threats. It is to find and eliminate weaknesses that their systems might have, educate employees so that they would not fall for suspicious links sent via email or similar tricks, and use reputable antimalware tools that could increase their computers’ protection.
As for erasing Anchor, we display instructions showing how it might be possible to get rid of it below. Keep it in mind that they might not work for everyone since there could be lots of different versions of the malware. Thus, we highly recommend deleting Anchor with a reputable antimalware tool or leaving this task to capable cybersecurity specialists who could take care of the infection for you. If there is anything else you wish to ask about this backdoor threat, we invite you to leave us a comment at the end of this page.
Restart the computer in Safe Mode
Windows 8/Windows 10
Windows XP/Windows Vista/Windows 7