Headline
Warning issued over increased activity of TrueBot malware
Categories: News Categories: Ransomware Tags: TrueBot
Tags: Cl0p
Tags: Silence Group
Tags: CVE-2022-31199
Tags: Raspberry Robin
Tags: FlawedGrace
Tags: Cobalt Strike
Tags: Teleport
CISA, the FBI, the MS-ISAC, and the CCCS have warned about increased activity of the TrueBot malware in the US and Canada.
(Read more…)
The post Warning issued over increased activity of TrueBot malware appeared first on Malwarebytes Labs.
In a joint advisory, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Canadian Centre for Cyber Security (CCCS) have warned about newly identified TrueBot malware variants used against organizations in the US and Canada.
As we reported in our May 2023 ransomware review, ransomware groups like Cl0p gain access to a network and then sneakily deploy TrueBot malware and a Cobalt Strike beacon to infiltrate and creep around, grabbing data along the way.
At its core, Truebot is a Trojan.Downloader. Besides gathering system information, it is capable of downloading and executing additional payloads. As such, it is an ideal malware for IAB groups that want to plant a backdoor on a system and do some basic reconnaissance of the network. For those purposes, recent versions of Truebot collect the following: A screenshot, the computer name, the local network name, and active directory trust relations. Active Directory trust relations allow organizations to share users and resources across domains.
Previous TrueBot malware variants were primarily delivered by cybercriminals via malicious phishing email attachments. Newer versions allow cyber threat actors to also gain initial access through exploiting CVE-2022-31199, a remote code execution vulnerability in the Netwrix Auditor application. This allows the attacker to deploy the malware at scale within the compromised environment. Through exploitation of this CVE, cybercriminals can gain initial access, as well as the ability to move laterally within the compromised network.
The advisory explains how TrueBot has been observed in association with:
- Raspberry Robin: a wormable malware with links to other malware families and various infection methods, including installation via USB drive.
- FlawedGrace: a remote access tool (RAT) that can receive incoming commands [T1059] from a C2 server, which is typically deployed minutes after TrueBot malware is executed.
- Cobalt Strike: a collection of threat emulation tools cybercriminals use for persistence and data exfiltration purposes.
- Teleport: a custom data exfiltration tool.
In a separate malware analysis report, interested parties can find a comprehensive analysis of a recently discovered TrueBot executable.
Malwarebytes blocks the download URLs and detects Truebot as Malware.AI.{id.nr.}. Cl0p ransomware is detected as Malware.Ransom.Agent.Generic. But obviously prevention is better than remediation. The Malwarebytes web protection module blocks the C2 servers mentioned in the Malware Analysis Report.
How to avoid ransomware
- Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
- Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
- Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
- Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
- Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
- Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.
Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.
TRY NOW
Related news
US and Canadian government agencies find that new variants of the malware are increasingly being utilized.
Cybersecurity agencies have warned about the emergence of new variants of the TrueBot malware. This enhanced threat is now targeting companies in the U.S. and Canada with the intention of extracting confidential data from infiltrated systems. These sophisticated attacks exploit a critical vulnerability (CVE-2022-31199) in the widely used Netwrix Auditor server and its associated agents. This
A surge in TrueBot activity was observed in May 2023, cybersecurity researchers disclosed. "TrueBot is a downloader trojan botnet that uses command and control servers to collect information on compromised systems and uses that compromised system as a launching point for further attacks," VMware's Fae Carlisle said. Active since at least 2017, TrueBot is linked to a group known as Silence that's
Categories: News Categories: Ransomware Tags: Silence Tags: TA505 Tags: Clop ransomware Tags: Truebot Tags: Grace Tags: Cobalt Strike Tags: Teleport Tags: FIN11 Researchers have identified two new Truebot botnets that are using new versions of the Truebot downloader Trojan to infiltrate and explore a target's network. (Read more...) The post Silence is golden partner for Truebot and Clop ransomware appeared first on Malwarebytes Labs.
Cybersecurity researchers have reported an increase in TrueBot infections, primarily targeting Mexico, Brazil, Pakistan, and the U.S. Cisco Talos said the attackers behind the operation have moved from using malicious emails to alternative delivery methods such as the exploitation of a now-patched remote code execution (RCE) flaw in Netwrix auditor as well as the Raspberry Robin worm. "
Since August 2022, we have seen an increase in infections of Truebot (aka Silence.Downloader) malware. Truebot was first identified in 2017 and researchers have linked it to a threat actor called Silence Group that is responsible for several high-impact attacks on financial institutions in several countries around the world.
Remote code execution vulnerabilities exist in the Netwrix Auditor User Activity Video Recording component affecting both the Netwrix Auditor server and agents installed on monitored systems. The remote code execution vulnerabilities exist within the underlying protocol used by the component, and potentially allow an unauthenticated remote attacker to execute arbitrary code as the NT AUTHORITY\SYSTEM user on affected systems, including on systems Netwrix Auditor monitors.