Anchor

Anchor is a family of malicious applications used for high-profile targets. The earliest observed sample was found in August 2018, while the most recent one was discovered in November 2019. Researchers say that hackers behind the latest campaign, in which such malicious applications were noticed, focused on attacking PoS (Point of Sale) systems. Also, it is vital to mention that the infection is linked to another threat called TrickBot. Further, in this text, we explain how these two infections are linked, how they work, and how they might be spread. For users who not only wish to learn more about the malware but also find out how to remove Anchor, we advise both reading our article and checking the deletion instructions available below it. Of course, eliminating such a threat manually might be a difficult task, and, as we will explain further in the text, we cannot guarantee that our provided deletion steps will work. Therefore, it might be best to employ a reliable security tool.

Researchers say that TrickBot’s victims receive an email with a link leading to a file uploaded on Google Docs. It might be called “Annual Bonus Report.doc” or similarly. Trying to open this malicious document should download the TrickBot downloader, which may pretend to be a Microsoft Word document. To confuse the victim, the file should show a notification asking to update his Microsoft Word if he wishes to view the document. In reality, this file is not a document, and opening it initiates the malware’s downloading and its injection into the svhost.exe process. Once on a system, TrickBot may establish an Internet connection, record sensitive information, and then send it to its creators’ server. Also, it is vital to mention that malware can also drop more threats to a system. This is how it is connected to Anchor; it can download it as a secondary payload.

As for the Anchor abilities, they depend on the malicious application’s type. There are three known versions of it that are called Anchor, Old Anchor_DNS, and New Anchor_DNS. For instance, the first two versions can destruct themselves. Usually, hackers build in such a function to hide their tracks; for example, they can make a threat delete itself as soon as it gathers and delivers the information they need. The Anchor_DNS versions work as backdoor infections that use the DNS protocol to communicate with the hackers’ server. According to specialists, the threat is still undergoing development, which means cybercriminals are still working on its code, and there might appear even more versions of it. Currently, it is known that after connecting to the server, the backdoor can transfer data, receive the commands, and download additional payload. The fact that it can void detections makes it sound even more vicious.

Since the malicious applications were noticed to be used to attack PoS systems, researchers suspect that the FIN6 group could be behind this campaign. This group of hackers was linked to older TrickBot attacks. Also, it is known that they are financially-motivated, which is why an attack on PoS systems from them would not be a surprise. Needless to say that financial institutions and companies that provide or use PoS systems should be aware of these cybercriminals and their malicious applications. There are a few things that we could recommend for companies that might be targeted with Anchor and TrickBot or similar threats. It is to find and eliminate weaknesses that their systems might have, educate employees so that they would not fall for suspicious links sent via email or similar tricks, and use reputable antimalware tools that could increase their computers’ protection.

As for erasing Anchor, we display instructions showing how it might be possible to get rid of it below. Keep it in mind that they might not work for everyone since there could be lots of different versions of the malware. Thus, we highly recommend deleting Anchor with a reputable antimalware tool or leaving this task to capable cybersecurity specialists who could take care of the infection for you. If there is anything else you wish to ask about this backdoor threat, we invite you to leave us a comment at the end of this page.

Restart the computer in Safe Mode

Windows 8/Windows 10

1. Tap Win+I for Windows 8 or open Start menu for Windows 10.
2. Press the Power button.
3. Click and hold Shift, then click Restart.
4. Pick Troubleshoot and choose Advanced Options.
5. Go to Startup Settings and click Restart.
6. Press F5 and restart the PC.

Windows XP/Windows Vista/Windows 7

1. Navigate to Start, select Shutdown options, and pick Restart.
2. Press and hold F8 when the PC starts restarting.
3. Mark Safe Mode with Networking.
4. Select Enter and log on.

Erase Anchor

1. Click Win+E.
2. Find these locations:
   %TEMP%
   %USERPROFILE%
3. Search for suspicious files that could belong to the malware; their title might be random.
4. Right-click the infection's created files and select Delete.
5. Then find this path: %APPDATA%
6. Search for the threat’s created directory with a random name; inside of it, there should be another randomly named folder, and in this folder, users should find a file called autoupdate#{random numbers}.
7. Right-click the malicious application’s created folder and press Delete to erase it along with all of its contents.
8. Check these locations:
   %SYSTEMROOT%
   %SYSTEMROOT%\System32
9. Look for more suspicious files that could belong to the malware, right-click them, and press Delete.
10. Exit File Explorer.
11. Press Win+R.
12. Type Regedit and press Enter.
13. Go to this path: HKLM\SYSTEM\CurrentControlSet\Services\netTcpSvc\Parameters
14. Find a value data called ServiceDll, right-click it, and select Delete.
15. Exit Registry Editor.
16. Empty Recycle bin.
17. Restart the system.