Truebot Malware Adopts New Tactics, Ramps Up Operations
Researchers at Cisco Talos also linked Truebot creator Silence group to the notorious Evil Corp (TA505) group.
Cisco Talos researchers recently reported an uptick in Truebot infections. Discovered in 2017, the malware activity, emanating from two different botnets, has surged since August 2022 and is targeting entities in the U.S., Pakistan, Brazil and Mexico.
Researchers at Talos, Cisco’s threat intelligence arm, also linked Truebot creator Silence group to the notorious Evil Corp (TA505). The Talos advisory suggests there exist two different Truebot campaigns leveraging two different botnets that drop various payloads, including Grace (or FlawedGrace and GraceWire), Cobalt Strike and Clop ransomware, both of which are associated with Evil Corp.
One of the botnets (botnet #1) has 1,000 systems and targets entities worldwide but particularly targets Mexico, Pakistan, and Brazil-based organizations, while 75% of the other botnet’s (botnet #2, which has 500 systems) targets are U.S.-based companies.
Additionally, the threat group behind the malware has changed tactics from using emails as the primary delivery method to exploiting a remote code execution vulnerability in the IT asset management tool Netwrix Auditor (CVE-2022-31199), the use of Raspberry Robin worm (October 2022), and another undescribed method Talos discovered in November 2022.
“While the the victims of the first botnet were mostly desktop systems not directly accessible from the internet, this second botnet is almost exclusively composed of Windows servers, directly connected to the internet, and exposing several Windows services such as SMB, RDP, and WinRM, but interestingly not Netwrix. This suggests that the attackers are using another distribution mechanism, although we have not yet identified this attack vector,” Talos wrote.
Once in, TrickBot’s job is to collect relevant information that is sent to the attacker command and control (C2) to triage targets and deploy additional payloads. However, the new version of the Truebot malware collects additional information such as the target screenshot, the computer name, the local network name and active directory trust relations, and can load and execute additional modules and shellcodes in memory to obfuscate itself.
Truebot Compromise | Source: Cisco Talos
See More: Attacks on Software Supply Chains To Increase in Severity in 2023: Report
Truebot also features an exfiltration tool written in C++ dubbed ‘Teleport’ that can enable attackers to steal data while remaining stealthy. For instance, it limits the upload rate so as to not trigger any alarms, as a slow network due to a high upload rate can drive attention. Data being exfiltrated is encrypted (using AES and a hardcoded key), and the tool can also delete itself once the exfiltration is complete.
Newer techniques to exfiltrate data and the execution of Clop ransomware suggest that the threat actors leverage Truebot to carry out double extortion ransomware attacks. Additionally, the malware is expanding its scope of infection by going after system features that allow resource sharing across domains, possibly extranets and connecting service providers.
Moreover, Talos pointed out that the attempted exploitation of CVE-2022-31199 indicates the attackers are looking for not only “new infection vectors, but are also able to quickly test them and incorporate them into their workflow.”
“This vulnerability had been published only a few weeks before the attacks took place, and the number of systems exposed from the internet is expected to be quite small,” Talos said.
The Silence group is known to target financial institutions. It leverages publicly available tools as part of its attacks and, as evident from the Talos findings, builds and deploys custom tools to its malicious ends.
Let us know if you enjoyed reading this news on LinkedIn, Twitter, or Facebook. We would love to hear from you!
Image source: Shutterstock