Previously, attackers were observed using malicious emails and leveraging Raspberry Robin to distribute TrueBot (aka Silence.Downloader) malware. Recently, they seem to have started exploiting a now-patched RCE flaw in Netwrix auditor to download and run TrueBot malware.
True colors of TrueBot
Cisco Talos researchers discovered the latest TrueBot infections between mid-August and September. - The updated variant of TrueBot was observed exploiting the vulnerability tracked as CVE-2022-31199 in Netwrix Auditor against large organizations.
- The Windows malware downloader is attributed to Silence Group, a Russian-speaking hacker believed to share associations with Evil Corp (aka DEV-0243) and TA505.
- This variant collects information such as device name, local network details, and active directory trust relations and sends it to the attacker’s C2 server.
- TrueBot is capable of downloading and executing files as well as loading and executing additional modules and shellcodes in memory, making the payloads less likely to be detected.
Frequent switch in delivery methods
In the past few months, TrueBot operators have switched their delivery tactics several times.
- In October, Microsoft spotted an increase in TrueBot activity leveraging Raspberry Robin malware.
- Attackers had created a botnet of over 1,000 systems worldwide with a particular focus on Mexico, Brazil, and Pakistan.
- However, last month, attackers used an unknown distribution mechanism to create the second botnet, with over 500 infections so far, especially focused on the U.S., Canada, and Brazil.
- The first botnet mainly targeted desktop systems not directly accessible from the internet. The second botnet exclusively attacked Windows servers directly connected to the internet and exposed several Windows services such as SMB, RDP, and WinRM.
Post-compromise activity
In the most recent campaign, once the systems have been compromised with TrueBot, the attackers deploy additional payloads as a part of the post-compromise activity.
- In some cases, they deployed Cobalt Strike and Grace (aka FlawedGrace and GraceWire) payloads and in some, they used the Cl0p ransomware for double extortion.
- Additionally, they use a custom data exfiltration tool named Teleport containing several features that make the process of data exfiltration easier and stealthier.
Conclusion
TrueBot malware downloader has evolved as a part of a complex and interconnected malware ecosystem. The custom data exfiltration tool development and alternate distribution methods can lead to many different outcomes. Organizations are recommended to develop a robust protection and detection strategy to prevent the impact of these complex and highly connected cybercriminal threats.