Headline
Truebot Malware Variants Abound, According to CISA Advisory
US and Canadian government agencies find that new variants of the malware are increasingly being utilized.
An advisory from the Cybersecurity and Infrastructure Security Agency (CISA), several US organizations, and the Canadian Center for Cyber Security (CCCS) warns of Truebot malware variants that are increasingly being utilized by threat actors against various organizations in the US and Canada.
Truebot, alternatively known as Silence.Downloader, is a botnet used by malicious cybergroups such as Cl0p ransomware cybergang to gather information from the victims they target. Older variants of Truebot were mainly distributed by threat actors by phishing email attacks in the form of malicious attachments. Newer versions of the malware allow these threat actors to gain initial access by exploiting a remote code execution (RCE) vulnerability in Netwrix Auditor — otherwise listed as CVE-2022-31199.
Cyber-threat actors are also using phishing campaigns with malicious hyperlinks to deliver their Truebot variants. The agencies urge those searching for this kind of malicious activity to apply vendor patches to the 10.5 version of Netwrix Auditor and to use the outlined guidance in the joint advisory.
“Any organization identifying indicators of compromise (IOCs) within their environment should urgently apply the incident responses and mitigation measures detailed in this CSA and report the intrusion to CISA or the FBI,” the organizations stated.
Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
Subscribe
Related news
Categories: News Categories: Ransomware Tags: TrueBot Tags: Cl0p Tags: Silence Group Tags: CVE-2022-31199 Tags: Raspberry Robin Tags: FlawedGrace Tags: Cobalt Strike Tags: Teleport CISA, the FBI, the MS-ISAC, and the CCCS have warned about increased activity of the TrueBot malware in the US and Canada. (Read more...) The post Warning issued over increased activity of TrueBot malware appeared first on Malwarebytes Labs.
Cybersecurity agencies have warned about the emergence of new variants of the TrueBot malware. This enhanced threat is now targeting companies in the U.S. and Canada with the intention of extracting confidential data from infiltrated systems. These sophisticated attacks exploit a critical vulnerability (CVE-2022-31199) in the widely used Netwrix Auditor server and its associated agents. This
A surge in TrueBot activity was observed in May 2023, cybersecurity researchers disclosed. "TrueBot is a downloader trojan botnet that uses command and control servers to collect information on compromised systems and uses that compromised system as a launching point for further attacks," VMware's Fae Carlisle said. Active since at least 2017, TrueBot is linked to a group known as Silence that's
Categories: News Categories: Ransomware Tags: Silence Tags: TA505 Tags: Clop ransomware Tags: Truebot Tags: Grace Tags: Cobalt Strike Tags: Teleport Tags: FIN11 Researchers have identified two new Truebot botnets that are using new versions of the Truebot downloader Trojan to infiltrate and explore a target's network. (Read more...) The post Silence is golden partner for Truebot and Clop ransomware appeared first on Malwarebytes Labs.
Cybersecurity researchers have reported an increase in TrueBot infections, primarily targeting Mexico, Brazil, Pakistan, and the U.S. Cisco Talos said the attackers behind the operation have moved from using malicious emails to alternative delivery methods such as the exploitation of a now-patched remote code execution (RCE) flaw in Netwrix auditor as well as the Raspberry Robin worm. "
Since August 2022, we have seen an increase in infections of Truebot (aka Silence.Downloader) malware. Truebot was first identified in 2017 and researchers have linked it to a threat actor called Silence Group that is responsible for several high-impact attacks on financial institutions in several countries around the world.
Remote code execution vulnerabilities exist in the Netwrix Auditor User Activity Video Recording component affecting both the Netwrix Auditor server and agents installed on monitored systems. The remote code execution vulnerabilities exist within the underlying protocol used by the component, and potentially allow an unauthenticated remote attacker to execute arbitrary code as the NT AUTHORITY\SYSTEM user on affected systems, including on systems Netwrix Auditor monitors.