Headline
Cybersecurity Agencies Sound Alarm on Rising TrueBot Malware Attacks
Cybersecurity agencies have warned about the emergence of new variants of the TrueBot malware. This enhanced threat is now targeting companies in the U.S. and Canada with the intention of extracting confidential data from infiltrated systems. These sophisticated attacks exploit a critical vulnerability (CVE-2022-31199) in the widely used Netwrix Auditor server and its associated agents. This
Cybersecurity agencies have warned about the emergence of new variants of the TrueBot malware. This enhanced threat is now targeting companies in the U.S. and Canada with the intention of extracting confidential data from infiltrated systems.
These sophisticated attacks exploit a critical vulnerability (CVE-2022-31199) in the widely used Netwrix Auditor server and its associated agents.
This vulnerability enables unauthorized attackers to execute malicious code with the SYSTEM user’s privileges, granting them unrestricted access to compromised systems.
The TrueBot malware, linked with cybercriminal collectives Silence and FIN11, is deployed to siphon off data and disseminate ransomware, jeopardising the safety of numerous infiltrated networks.
The cybercriminals gain their initial foothold by exploiting the cited vulnerability, then proceed to install TrueBot. Once they have breached the networks, they install the FlawedGrace Remote Access Trojan (RAT) to escalate their privileges, establish persistence on the compromised systems, and conduct additional operations.
“During FlawedGrace’s execution phase, the RAT stores encrypted payloads within the registry. The tool can create scheduled tasks and inject payloads into msiexec[.]exe and svchost[.]exe, which are command processes that enable FlawedGrace to establish a command and control (C2) connection to 92.118.36[.]199, for example, as well as load dynamic link libraries (DLLs) to accomplish privilege escalation,” the advisory says.
The cybercriminals initiate Cobalt Strike beacons within several hours of the first intrusion. These beacons facilitate post-exploitation tasks, including stealing data and installing ransomware or different malware payloads.
While previous versions of the TrueBot malware were typically spread through malicious email attachments, the updated versions leverage the CVE-2022-31199 vulnerability to gain initial access.
This strategic shift allows the cyber threat actors to carry out attacks on a broader scale within infiltrated environments. Importantly, the Netwrix Auditor software is employed by more than 13,000 organizations worldwide, including notable firms such as Airbus, Allianz, the UK NHS, and Virgin.
The advisory does not provide specific information about the victims or the number of organizations affected by the TrueBot attacks.
The report also underlines the participation of the Raspberry Robin malware in these TrueBot attacks, as well as other post-compromise malware like IcedID and Bumblebee. By utilizing Raspberry Robin as a distribution platform, attackers can reach more potential victims and amplify the impact of their malicious activities.
UPCOMING WEBINAR
🔐 Privileged Access Management: Learn How to Conquer Key Challenges
Discover different approaches to conquer Privileged Account Management (PAM) challenges and level up your privileged access security strategy.
Reserve Your Spot
Given that the Silence and TA505 groups are actively infiltrating networks for monetary benefit, it is crucial for organizations to implement suggested security measures.
To safeguard themselves against TrueBot malware and similar threats, organizations should take the following recommendations into account:
- Install updates: Organizations using Netwrix Auditor should install the necessary updates to mitigate the CVE-2022-31199 vulnerability and update their software to version 10.5 or above.
- Enhance security protocols: Deploy multi-factor authentication (MFA) for all employees and services.
- Be vigilant for signs of infiltration (IOCs): Security teams must actively scrutinize their networks for indications of TrueBot contamination. The joint warning provides guidelines to help in discovering and reducing the malware’s impact.
- Report any incidents: If organizations detect IOCs or suspect a TrueBot infiltration, they must act swiftly in accordance with the incident response actions laid out in the warning and report the incident to CISA or the FBI.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Related news
Categories: News Categories: Ransomware Tags: TrueBot Tags: Cl0p Tags: Silence Group Tags: CVE-2022-31199 Tags: Raspberry Robin Tags: FlawedGrace Tags: Cobalt Strike Tags: Teleport CISA, the FBI, the MS-ISAC, and the CCCS have warned about increased activity of the TrueBot malware in the US and Canada. (Read more...) The post Warning issued over increased activity of TrueBot malware appeared first on Malwarebytes Labs.
US and Canadian government agencies find that new variants of the malware are increasingly being utilized.
A surge in TrueBot activity was observed in May 2023, cybersecurity researchers disclosed. "TrueBot is a downloader trojan botnet that uses command and control servers to collect information on compromised systems and uses that compromised system as a launching point for further attacks," VMware's Fae Carlisle said. Active since at least 2017, TrueBot is linked to a group known as Silence that's
Categories: News Categories: Ransomware Tags: Silence Tags: TA505 Tags: Clop ransomware Tags: Truebot Tags: Grace Tags: Cobalt Strike Tags: Teleport Tags: FIN11 Researchers have identified two new Truebot botnets that are using new versions of the Truebot downloader Trojan to infiltrate and explore a target's network. (Read more...) The post Silence is golden partner for Truebot and Clop ransomware appeared first on Malwarebytes Labs.
Cybersecurity researchers have reported an increase in TrueBot infections, primarily targeting Mexico, Brazil, Pakistan, and the U.S. Cisco Talos said the attackers behind the operation have moved from using malicious emails to alternative delivery methods such as the exploitation of a now-patched remote code execution (RCE) flaw in Netwrix auditor as well as the Raspberry Robin worm. "
Since August 2022, we have seen an increase in infections of Truebot (aka Silence.Downloader) malware. Truebot was first identified in 2017 and researchers have linked it to a threat actor called Silence Group that is responsible for several high-impact attacks on financial institutions in several countries around the world.
Remote code execution vulnerabilities exist in the Netwrix Auditor User Activity Video Recording component affecting both the Netwrix Auditor server and agents installed on monitored systems. The remote code execution vulnerabilities exist within the underlying protocol used by the component, and potentially allow an unauthenticated remote attacker to execute arbitrary code as the NT AUTHORITY\SYSTEM user on affected systems, including on systems Netwrix Auditor monitors.