TrueBot botnet threat intensifies

On July 6, 2023, US and Canadian authorities issued a warning about increased malware activity truebotassociated with new tactics, methods and procedures (TTPs).

IN joint bulletin Cyber ​​Security and Infrastructure Protection Agencies (CISA), Federal Bureau of Investigation (FBI), Center for Internet Security (MS-ISAC) and the Canadian Center for Cyber ​​Security (CCCS) note that hackers are using new variants of Truebot malware to attack organizations in the US and Canada. Since May 31, specialists have begun to notice a surge in financially motivated TrueBot activity.

Truebot is known to be used by the well-known cybercriminal groups Clop and Silence to steal information from victims. The creation of Truebot in 2017 is attributed to the Silence group, which specialized in large-scale attacks on financial institutions.

The attackers used to distribute the software through malicious attachments in phishing emails, however, according to the agencies, they have now switched to new methods and started using variants that exploit RCE-vulnerability ( CVE-2022-31199 CVSS: 9.8 ) in the Netwrix Auditor application. Exploitation error allows attackers to gain initial access and navigate a compromised network.

Netwrix Auditor is used by more than 13,000 organizations in 100 countries to audit on-premises and cloud IT systems, as well as security and compliance audits. As of December 2022, over 500 TrueBot botnet infections have been detected, predominantly in the United States and Canada.

The bulletin further explains that after downloading the malicious file, Truebot renames itself and deploys Flawed Grace to the host. Then RATThe Trojan modifies the registry and spooler programs, allowing it to escalate privileges and establish persistence. The experts also reminded about Truebot’s association with other malware delivery tools namely with Raspberry Robin And Cobalt Strike.

May spike in TrueBot activity discovered by VMware cybersecurity researchers who indicated that TrueBot’s main function is to collect information from the host and deploy next-stage payloads such as Cobalt Strike, the FlawedGrace trojan, and a previously unknown data exfiltration utility. Teleport. Next, lateral movement and data collection is performed, and then the binary file of the Clop ransomware is launched. An analysis of the Teleport utility showed that the software is used exclusively to collect files from OneDrive and Downloads, as well as messages from Outlook.

Experts suggested steps to mitigate the increased threat from Truebot, including monitoring and controlling software execution and applying Netwrix Auditor patches.