Trickbot Malware

Solution Verified - Updated -


Linux Server and Desktop Environments


Trickbot (or Anchor_Linux) malware is a multi-platform (Microsoft Windows and Linux) malware that can attack systems, upload files to attacker-controlled systems and encrypt files holding them for ransom. Some variants have asked users to make payments in exchange for decryption keys to regain access to their data. The Linux variants of this malware appear to be mostly used for command and control purposes but do contain features that allow downloading and running of additional payloads both directly on an infected system or other systems on the network to which an infected system has access (most notably windows desktops via the SMB protocol).

See the following for additional information regarding this malware:


It is important to keep all servers and workstations up to date with all security patches and to maintain backups of all data. If infected, a reinstallation of software and restoration of data may be the easiest resolution. In addition to the various publicly available IoC’s (indicators of compromise), that have been made available for this malware, Red Hat is aware of reports that system files such as /etc/crontab may be modified in an attempt to maintain persistence. Monitoring of systems for unauthorized or unexpected changes to configuration should help in the detection of this and similar malware.

Root Cause

It is thought that infections of the Trickbot malware are part of a multi-stage attack variant as the payloads often include executables that target non-native platforms. The malware communicates with a ‘command and control’ platform via the DNS protocol making it unable to be blocked using traditional web-filtering mechanisms.

Once infected the current known variant attempts to use code downloaded from attacker controlled servers to escalate privileges and then transmits copies of target files back to the attackers. Red Hat has not at this stage heard reports of the privilege escalation targeting '0day vulnerabilities' for which a patch has not yet been issued . Some variants may continue to encrypt local files via existing ransomware mechanisms. It is unknown how, exactly, the malware is propagating.

Trickbot continues to be developed and new variants are being found in the wild. This means that it may evolve to use alternative infection or communication methods.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.