The Latest SentinelOne News
Product and Solution Information, Press Releases, Announcements

Discovery of One of the Most Sophisticated & Resourceful Botnet Groups on Crimeware Landscape

Mountain View, Calif. – December 11, 2019 – SentinelOne, the autonomous endpoint protection company, today announced that the company’s research division, SentinelLabs, has identified a first-of-its-kind possible collaboration between crimeware organization TrickBot and North Korean advanced persistent threat (APT) group Lazarus. The TrickBot branch toolset, known as “Anchor Project,” represents the first known link between cybercrime groups and APT actors. The research is evidence of “Anchor Project” tools being used to deploy malware possibly associated with the North Korean regime, a finding with significant national security implications.

“Anchor Project” presents an all-in-one attack framework designed to attack enterprise environments using both custom and existing toolage. While most nation-state groups are primarily concerned with establishing persistent access for espionage, surveillance, and data exfiltration, Lazarus group is also tasked with funding the North Korean regime, and their tooling is making use of TrickBot’s Anchor infections to monetize its activities. The increasing sophistication of Trickbot’s tools combined with Lazarus’s unique priorities led to a previously unseen collaboration between the two. The discovery was identified by the SentinelLabs Team headed by Vitali Kremez, who recently joined SentinelOne to lead SentinelLabs, a bespoke threat intelligence, research, and analysis team.

“Anchor Project” combines a variety of tools for attackers to both exfiltrate sensitive data and also establish long-term persistency, a typical goal of nation-states. The toolkit enables the initial installation of malware and hides its tracks, eliminating any evidence of the infection. This makes “Anchor Project” equally attractive for both nation-state activity and the large-scale cyber-heists typical of criminal enterprises. Upon investigating the “Anchor Project,” and realizing that Lazarus is one of the few groups interested in both data exfiltration and financial gain, SentinelLabs immediately looked for a connection between the two groups and soon found that the tool ‘PowerRatankba’ previously linked to Lazarus was, in fact, delivered to an infected Anchor victim.

“Cybercrime enterprises like TrickBot, who offer their cybercrime-as-a-service to criminal entities with various goals and objectives, are always looking to break into new markets and find other hacking outfits to sell their malware kits to,” said Kremez. “But because many nation-state groups rarely have monetary goals, it has been notable for TrickBot to gain a foothold in this arena. Evidence of them now being linked to deliveries previously attributed to APT malware toolkits belonging to Lazarus is indicative of a quantum shift in the world of cybercrime.”