Security
Headlines
HeadlinesLatestCVEs

Headline

New Truebot Malware Variant Leveraging Netwrix Auditor Bug and Raspberry Robin Worm

Cybersecurity researchers have reported an increase in TrueBot infections, primarily targeting Mexico, Brazil, Pakistan, and the U.S. Cisco Talos said the attackers behind the operation have moved from using malicious emails to alternative delivery methods such as the exploitation of a now-patched remote code execution (RCE) flaw in Netwrix auditor as well as the Raspberry Robin worm. "

The Hacker News
#vulnerability#mac#windows#microsoft#cisco#rce#botnet#The Hacker News

Cybersecurity researchers have reported an increase in TrueBot infections, primarily targeting Mexico, Brazil, Pakistan, and the U.S.

Cisco Talos said the attackers behind the operation have moved from using malicious emails to alternative delivery methods such as the exploitation of a now-patched remote code execution (RCE) flaw in Netwrix auditor as well as the Raspberry Robin worm.

“Post-compromise activity included data theft and the execution of Clop ransomware,” security researcher Tiago Pereira said in a Thursday report.

TrueBot is a Windows malware downloader that’s attributed to a threat actor tracked by Group-IB as Silence, a Russian-speaking crew believed to share associations with Evil Corp (aka DEV-0243) and TA505.

The first-stage module functions as an entry point for subsequent post-exploitation activities, including information theft using a hitherto unknown custom data exfiltration utility dubbed Teleport, the cybersecurity firm said.

The use of Raspberry Robin – a worm mainly spread through infected USB drives – as a delivery vector for TrueBot was highlighted recently by Microsoft, which it said is part of a “complex and interconnected malware ecosystem.”

In what’s a further sign of enmeshed collaboration with other malware families, Raspberry Robin has also been observed deploying FakeUpdates (aka SocGholish) on compromised systems, ultimately leading to ransomware-like behavior linked to Evil Corp.

Microsoft is tracking the operators of the USB-based malware as DEV-0856 and the Clop ransomware attacks that happen via Raspberry Robin and TrueBot under the emerging threat cluster DEV-0950.

“DEV-0950 traditionally uses phishing to acquire the majority of their victims, so this notable shift to using Raspberry Robin enables them to deliver payloads to existing infections and move their campaigns more quickly to ransomware stages,” the Windows maker noted in October 2022.

The latest findings from Cisco Talos show that the Silence APT carried out a small set of attacks between mid-August and September 2022 by abusing a critical RCE vulnerability in Netwrix auditor (CVE-2022-31199, CVSS score: 9.8) to download and run TrueBot.

The fact that the bug was weaponized merely a month after its public disclosure by Bishop Fox in mid-July 2022 suggests that “attackers are not only on the lookout for new infection vectors, but are also able to quickly test them and incorporate them into their workflow,” Pereira said.

TrueBot infections in October, however, entailed the use of a different attack vector – i.e., Raspberry Robin – underscoring Microsoft’s assessment about the USB worm’s central role as a malware distribution platform.

The primary function of TrueBot is to collect information from the host and deploy next-stage payloads such as Cobalt Strike, FlawedGrace, and Teleport. This is followed by the execution of the ransomware binary after harvesting relevant information.

The Teleport data exfiltration tool is also notable for its ability to limit upload speeds and file sizes, thereby causing the transmissions to go undetected by monitoring software. On top of that, it can erase its own presence from the machine.

A closer look at the commands issued via Teleport reveals that the program is being exclusively used to collect files from OneDrive and Downloads folders as well as the victim’s Outlook email messages.

“The Raspberry Robin delivery led to the creation of a botnet of over 1,000 systems that is distributed worldwide, but with particular focus on Mexico, Brazil, and Pakistan,” Pereira said.

The attackers, however, appear to have switched to an unknown TrueBot distribution mechanism starting in November, with the vector succeeding in co-opting over 500 internet-facing Windows servers located in the U.S., Canada, and Brazil into a botnet.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Related news

Warning issued over increased activity of TrueBot malware

Categories: News Categories: Ransomware Tags: TrueBot Tags: Cl0p Tags: Silence Group Tags: CVE-2022-31199 Tags: Raspberry Robin Tags: FlawedGrace Tags: Cobalt Strike Tags: Teleport CISA, the FBI, the MS-ISAC, and the CCCS have warned about increased activity of the TrueBot malware in the US and Canada. (Read more...) The post Warning issued over increased activity of TrueBot malware appeared first on Malwarebytes Labs.

Truebot Malware Variants Abound, According to CISA Advisory

US and Canadian government agencies find that new variants of the malware are increasingly being utilized.

Cybersecurity Agencies Sound Alarm on Rising TrueBot Malware Attacks

Cybersecurity agencies have warned about the emergence of new variants of the TrueBot malware. This enhanced threat is now targeting companies in the U.S. and Canada with the intention of extracting confidential data from infiltrated systems. These sophisticated attacks exploit a critical vulnerability (CVE-2022-31199) in the widely used Netwrix Auditor server and its associated agents. This

Alarming Surge in TrueBot Activity Revealed with New Delivery Vectors

A surge in TrueBot activity was observed in May 2023, cybersecurity researchers disclosed. "TrueBot is a downloader trojan botnet that uses command and control servers to collect information on compromised systems and uses that compromised system as a launching point for further attacks," VMware's Fae Carlisle said. Active since at least 2017, TrueBot is linked to a group known as Silence that's

Silence is golden partner for Truebot and Clop ransomware

Categories: News Categories: Ransomware Tags: Silence Tags: TA505 Tags: Clop ransomware Tags: Truebot Tags: Grace Tags: Cobalt Strike Tags: Teleport Tags: FIN11 Researchers have identified two new Truebot botnets that are using new versions of the Truebot downloader Trojan to infiltrate and explore a target's network. (Read more...) The post Silence is golden partner for Truebot and Clop ransomware appeared first on Malwarebytes Labs.

Breaking the silence - Recent Truebot activity

Since August 2022, we have seen an increase in infections of Truebot (aka Silence.Downloader) malware. Truebot was first identified in 2017 and researchers have linked it to a threat actor called Silence Group that is responsible for several high-impact attacks on financial institutions in several countries around the world.

CVE-2022-31199: Netwrix Auditor Application Critical Vulnerability Advisory

Remote code execution vulnerabilities exist in the Netwrix Auditor User Activity Video Recording component affecting both the Netwrix Auditor server and agents installed on monitored systems. The remote code execution vulnerabilities exist within the underlying protocol used by the component, and potentially allow an unauthenticated remote attacker to execute arbitrary code as the NT AUTHORITY\SYSTEM user on affected systems, including on systems Netwrix Auditor monitors.