Security
Headlines
HeadlinesLatestCVEs

Headline

Silence is golden partner for Truebot and Clop ransomware

Categories: News Categories: Ransomware Tags: Silence

Tags: TA505

Tags: Clop ransomware

Tags: Truebot

Tags: Grace

Tags: Cobalt Strike

Tags: Teleport

Tags: FIN11

Researchers have identified two new Truebot botnets that are using new versions of the Truebot downloader Trojan to infiltrate and explore a target’s network.

(Read more…)

The post Silence is golden partner for Truebot and Clop ransomware appeared first on Malwarebytes Labs.

Malwarebytes
#vulnerability#windows#c++#backdoor#samba#botnet

A recent rise in the number of Truebot infections has been attributed to a threat actor known as the Silence Group. The Silence Group is an initial access broker (IAB) that frequently changes tools and tactics to stay on top of the game. An IAB’s primary task is to find a weakness or vulnerability, create a foothold in a network, and do some exploratory work to find out how attractive the target is. Once this is done they can sell the access to another threat actor, like a ransomware group. For these tasks Truebot is the tool of choice in the Silence Group.

The Silence Group seems to have a strong relation with the group behind Clop ransomware, often referenced as TA505. Which, in turn, has a large overlap with the FIN11 group.

Truebot

The researchers identified two separate Truebot botnets. One of which appears to be focused on the US, while the other is predominantly focused at Mexico, Pakistan, and Brazil.

We touched on the second one when we wrote about the recent activities of the Raspberry Robin worm. The use of this worm, in combination with an attack vector leveraging a Netwrix vulnerability, seems the have laid the ground work for the creation of a botnet of over 1,000 systems that is distributed worldwide.

The other botnet is almost exclusively composed of Windows servers, directly connected to the internet, and exposes several Windows services such as SMB, RDP, and WinRM. The attack vector that was used to establish this botnet has not yet been identified, although the researchers are confident that it is different from those used for the other botnet, Raspberry Robin and the Netwrix vulnerability (CVE-2022-31199).

New version

At its core, Truebot is a Trojan.Downloader. As such, it is an ideal malware for IAB groups that want to plant a backdoor on a system and do some basic reconnaissance of the network. For those purposes, this new version of Truebot collects this information: a screenshot, the computer name, the local network name, and active directory trust relations. Active Directory trust relations allow organizations to share users and resources across domains.

What’s also new is that this version is now capable of loading and executing additional modules and shellcodes in memory, making the payloads fileless malware which is less likely to be detected.

Exfiltration

Besides the usual suspects designed to act as a backdoor, Cobalt Strike and Grace, the researchers also found a new data exfiltration tool. Finding Grace as a payload seems to confirm the close ties between the Silence Group and TA505 since Grace was almost exclusively used by TA505.

The exfiltration tool, dubbed Teleport, was used extensively by the attackers to steal information from the network. It seems to be a custom data exfiltration tool built in C++ , containing several features that make the process of data exfiltration easier and stealthier. It has some features that are not commonly found in remote copying tools but which make it very useful to an attacker stealthily exfiltrating data.

  • It limits the upload speed, which can make the transmission go undetected by tools that monitor for large data exfiltration and avoids slowing down the network.
  • The communication is encrypted to hide what information is being transmitted.
  • Limiting the file size, which can maximize the number of stolen files by avoiding lengthy copies of files that may not be interesting.
  • The ability to delete itself after use, which is ideal to keep it as unknown as possible.

Clop

Ransom.Clop was first seen in February of 2019. Besides encrypting systems, the Clop ransomware also exfiltrates data that will be published on a leak site if the victim refuses to pay the ransom. In February of 2021, the group made headlines by targeting executives’ systems specifically to find sensitive data.

Mitigation

The tools that are used by Silence are versatile, but there are a few logical steps you can take to protect yourself and your organization:

  • Do not insert USB drives of unknown or unreliable origin into your systems.
  • In Windows, the autorun of USB drives is disabled by default. However, many organizations have widely enabled it through legacy Group Policy changes. If you enabled it, this is a policy worth re-thinking.
  • Install patches as soon as possible, especially for internet facing devices.
  • Run an anti-virus/anti-malware solution that actively monitors and scans your systems.

Malwarebytes blocks the download URLs and detects Truebot as Malware.AI.{id.nr.}. Clop ransomware is detected as Malware.Ransom.Agent.Generic.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Related news

Warning issued over increased activity of TrueBot malware

Categories: News Categories: Ransomware Tags: TrueBot Tags: Cl0p Tags: Silence Group Tags: CVE-2022-31199 Tags: Raspberry Robin Tags: FlawedGrace Tags: Cobalt Strike Tags: Teleport CISA, the FBI, the MS-ISAC, and the CCCS have warned about increased activity of the TrueBot malware in the US and Canada. (Read more...) The post Warning issued over increased activity of TrueBot malware appeared first on Malwarebytes Labs.

Truebot Malware Variants Abound, According to CISA Advisory

US and Canadian government agencies find that new variants of the malware are increasingly being utilized.

Cybersecurity Agencies Sound Alarm on Rising TrueBot Malware Attacks

Cybersecurity agencies have warned about the emergence of new variants of the TrueBot malware. This enhanced threat is now targeting companies in the U.S. and Canada with the intention of extracting confidential data from infiltrated systems. These sophisticated attacks exploit a critical vulnerability (CVE-2022-31199) in the widely used Netwrix Auditor server and its associated agents. This

Alarming Surge in TrueBot Activity Revealed with New Delivery Vectors

A surge in TrueBot activity was observed in May 2023, cybersecurity researchers disclosed. "TrueBot is a downloader trojan botnet that uses command and control servers to collect information on compromised systems and uses that compromised system as a launching point for further attacks," VMware's Fae Carlisle said. Active since at least 2017, TrueBot is linked to a group known as Silence that's

New Truebot Malware Variant Leveraging Netwrix Auditor Bug and Raspberry Robin Worm

Cybersecurity researchers have reported an increase in TrueBot infections, primarily targeting Mexico, Brazil, Pakistan, and the U.S. Cisco Talos said the attackers behind the operation have moved from using malicious emails to alternative delivery methods such as the exploitation of a now-patched remote code execution (RCE) flaw in Netwrix auditor as well as the Raspberry Robin worm. "

Breaking the silence - Recent Truebot activity

Since August 2022, we have seen an increase in infections of Truebot (aka Silence.Downloader) malware. Truebot was first identified in 2017 and researchers have linked it to a threat actor called Silence Group that is responsible for several high-impact attacks on financial institutions in several countries around the world.

CVE-2022-31199: Netwrix Auditor Application Critical Vulnerability Advisory

Remote code execution vulnerabilities exist in the Netwrix Auditor User Activity Video Recording component affecting both the Netwrix Auditor server and agents installed on monitored systems. The remote code execution vulnerabilities exist within the underlying protocol used by the component, and potentially allow an unauthenticated remote attacker to execute arbitrary code as the NT AUTHORITY\SYSTEM user on affected systems, including on systems Netwrix Auditor monitors.