The creators of TrickBot have updated their malware with a new functionality, which can target Linux devices through the command and control tool - Anchor_DNS and Anchor_Linux.
While TrickBot initially started out as a banking Trojan, the malware evolved by spreading on the web, stealing credentials saved in browsers, stealing cookies, and infecting Linux and Windows devices.
TrickBot (Trojan.TrickBot) infiltrates networks to steal data and implement ransomware such as Ryuk and Conti that encrypt network devices as the final stage of the attack.
In addition to acting as a backdoor that can be used to run malware on Linux devices, the malware also contains the Windows TrickBot executable that can be used to infect Windows machines on the same network.
Once copied to a Windows device, Anchor_Linux is configured as a Windows service. After configuration, the malware is rendered in the Windows host and connects back to an attacker's C&C server, where it receives execution commands.
TrickBot for Linux can affect many IoT devices, including routers, VPN devices, and NAS devices running on Linux.
Linux users can find out if they have been infected by searching for a file /tmp/anchor.logon
their systems.