View Full Threat Report
Alarming Surge in TrueBot Activity Revealed with New Delivery Vectors
[ Posted: 2023-06-06 ]
VMware’s Carbon Black Managed Detection and Response (MDR) team saw a surge in TrueBot activity in May 2023. TrueBot is a botnet that has been active since 2017 and is linked to the Silence group, a cybercriminal group that is known for targeting banks and financial institutions, in addition to the educator sector. According to VMware’s MDR team, TrueBot has been under active development by Silence, with the latest versions now leveraging a Netwrix vulnerability (CVE-2022-31199, CVSS score: 9.8) as a delivery vector.
“Just as its name suggests, TrueBot is a downloader trojan botnet that uses command and control servers to collect information on compromised systems and uses that compromised system as a launching point for further attacks, as seen recently with Clop Ransomware. TrueBot was known for using malicious emails to drop their malware but was recently seen using a Netwrix vulnerability as their delivery method. VMware’s MDR team has seen this vulnerability used firsthand in customer environments, as explored below. TrueBot is also using Raspberry Robin (a worm) as a delivery vector,” noted researchers.
Security Officer Comments:
In its blog post, VMware’s Carbon MDR team highlighted an attack chain leveraged by TrueBot in recent attacks. The initial infection started off with a drive-by-download masquerading as a Chrome update. Users would be prompted to download the following “update[.]exe” executable in order to “update” their browsers. However, instead of a Chrome update, malware would instead be downloaded on the victim’s system, leading to a series of malicious activities.
According to researchers, “upon execution, the malware immediately begins to look for EDR and antivirus software. Once executed, it connected to 94[.]142[.]138[.]61IP, which is a Russian IP address that is known to be attributed to TrueBot. At the address, the executable ‘3ujwy2rz7v[.]exe’ was downloaded and then launched by cmd[.]exe. The executable then connected to the C2 domain name ‘dremmfyttrred[.]com’. The activity thereafter included dumps of LSASS, exfiltration of data, and system and process enumerations.”
Update systems on a regular basis as threat actors will exploit vulnerabilities like CVE-2022-31199 to launch attacks on vulnerable devices. To prevent potential TrueBot infections, users should be wary of links or attachments in emails that come from unknown senders. Furthermore, it is also recommended to only download software from the official vendor’s site. Typically cybercriminals will host domains pretending to offer free software installs or updates. However, these are infected with malicious executables, allowing the threat actors to compromise the systems of unsuspecting victims who fall for the lure.
TrueBot IOCs: https://blogs.vmware.com/security/2023/06/carbon-blacks-truebot-detection.html
Cyber Security Cafe
Cyber Security Cafe is a private public service and offers no goods or services other than posting the current cyber threats we are facing and what we can do to prevent us from being affected and if we are, what we can do to correct the problems and to avoid intrusions in the future.
- Prevention often means not accepting the 'easy' ways.
- Most of Modern Technology exists in order to obtain your personal data.
Current Treats so you the latest and often most dangerous cyber threats. They indicate where they orininated from, and what areas they are targeting. By knowing in advance you can take precautionary actions now, before it's too late.
Are a group of tools and information that is designed to keep you up to date and to give you the tools to protect both your network and equipment. Most of the tools are available 'free of charge' too and are provided by safe governmental agencies.