VERY IMPORTANT

In an intrusion this past month the DFIR Report saw another link between the TrickBot, Anchor, and Bazar malware families with a Bazar loader bringing in Anchor DNS to facilitate a full domain compromise intrusion. Over a 5 day time frame the threat actors moved from a single endpoint to full domain compromise, and while ransomware deployment was not seen in this intrusion the TTP’s used mirror what we would expect from a big game ransomware crew.