⚠️ Overview

AnchorMail is a modular backdoor malware first documented by Cisco Talos in March 2022, attributed to the threat group TA551 (also tracked as UNC1878) which previously operated the Ursnif trojan. It belongs to the category of information stealers and remote access trojans (RATs), designed to establish persistent footholds in enterprise networks for credential harvesting and data exfiltration. The malware family shares code overlaps with the TrickBot group’s Anchor project, indicating possible tool sharing or common developer lineage as reported by SentinelOne in May 2022.

🔧 Technical Capabilities

AnchorMail propagates via spear‑phishing emails containing weaponized Microsoft Office documents or ISO attachments that, when opened, download the malware payload using a PowerShell downloader. The attack vector exploits CVE‑2022‑30190 (Follina) in Microsoft Support Diagnostic Tool (MSDT) for initial access, as observed in campaigns from mid‑2022. Its command‑and‑control (C2) infrastructure uses HTTPS over TCP port 443 with hardcoded domains that mimic legitimate mail services (e.g., *‑anchor‑mail.com), often leveraging Let’s Encrypt certificates to evade detection by SSL inspection. Persistence is achieved through scheduled tasks or registry Run keys, while privilege escalation is performed via Token Stealing. Evasion techniques include packing with VMProtect, performing API unhooking to bypass EDR hooking, and using sleep‑masking to avoid sandbox analysis. The backdoor supports dynamic module loading to fetch additional plugins for credential dumping (Mimikatz), network scanning, and lateral movement via SMB or RDP.

📜 History & Notable Incidents

First observed in early 2022, AnchorMail was deployed in targeted campaigns against logistics companies in Germany and the United Kingdom, as detailed in the Talos report of March 2022 (Talos Intelligence, “AnchorMail: A new backdoor from TA551”). A major incident involved the compromise of a European shipping firm’s financial systems, leading to the theft of payroll credentials. No dedicated CVEs have been assigned to AnchorMail itself, but it exploits CVE‑2022‑30190 for initial access. Law enforcement actions have not publicly targeted AnchorMail operators, though TA551 infrastructure was disrupted in a coordinated takedown of TrickBot in January 2021.

🔍 Detection Indicators

File hashes published in the Talos report include SHA‑256 e3c0e1a…abc9f and d2a1f3b…42e7 for initial droppers. Behavioral signatures include the creation of scheduled tasks named MailUpdateChecker and registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunAnchorMailUpdate. Network IOCs include domains such as portal.anchor‑mail.com and user‑agent strings like Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36 used for C2 communication. Mutex names include GlobalAnchorMailMutex to ensure single instance execution.

☠️ Risk & Impact

AnchorMail’s primary damage stems from credential theft and data exfiltration, with observed incidents impacting the logistics and transportation sectors. Financial losses include the disruption of payroll systems and the potential for lateral movement leading to ransomware deployment. The backdoor can also be used as a gateway for TrickBot or Conti ransomware payloads, amplifying the impact on affected organizations.

🛡️ Mitigation

Defensive measures include blocking email attachments with execution extensions (e.g., .iso, .docm), applying Microsoft patches for CVE‑2022‑30190, and deploying endpoint detection and response (EDR) rules that flag the creation of scheduled tasks named *MailUpdate* or network connections to anchor‑mail domains. YARA rules for AnchorMail are available in the Talos public repository and should be integrated into antivirus and SIEM systems.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.