The CISA, the FBI, the MS-ISAC, and the Canadian Centre for Cyber Security (CCCS) published a joint advisory, warning about the rise in Truebot malware activity. The advisory states that the threat actors are leveraging new variants of Truebot malware to target organizations in the U.S. and Canada via new TTPs.
In the past, the malware was used by Cl0p and Silence cybercriminal groups to collect and exfiltrate information from victims.
The surge in Trubot's activities
- Unlike the previous versions that were delivered via phishing emails, the newer versions exploit a remote code execution vulnerability (CVE-2022-31199) in the Netwrix Auditor application to gain initial access.
- According to Netwrix’s website, more than 13,000 organizations across over 100 countries use the software, which increases the chances of such attacks.
Where did it all start?
The development comes after researchers warned about Truebot activity shortly after the discovery of the Netwrix Auditor vulnerability in mid-2022.
- In December 2022, researchers at Cisco Talos identified a small number of cases where Truebot was executed by exploiting the vulnerability.
- Over a couple of months, DEV-0950 started using Raspberry Robin malware to deliver Truebot alongside Cl0p ransomware onto compromised systems mainly in Mexico, Brazil, and Pakistan.
Based on the nature of Truebot operations observed so far, the latest advisory states that the primary goal of the malware is to pilfer sensitive information from victims’ systems for financial gain.
Wrapping up
While there is no information on the number of victims impacted, the agencies have published details on detecting the malware and mitigating its effects. These include applying patches for the Netwrix Auditor vulnerability and mandating MFA for all staff and services. Organizations are also advised to use IOCs to hunt for signs of malicious activity pointing to a Truebot infection.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/0bac_shutterstock_498380503.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/21a1_shutterstock_2280868405.jpg)
