Alarming Surge in TrueBot Activity Revealed with New Delivery Vectors
Cyber Security Threat Summary:
VMware’s Carbon Black Managed Detection and Response (MDR) team saw a surge in TrueBot activity in May 2023. TrueBot is a botnet that has been active since 2017 and is linked to the Silence group, a cybercriminal group that is known for targeting banks and financial institutions, in addition to the educator sector. According to VMware’s MDR team, TrueBot has been under active development by Silence, with the latest versions now leveraging a Netwrix vulnerability (CVE-2022-31199, CVSS score: 9.8) as a delivery vector.
“Just as its name suggests, TrueBot is a downloader trojan botnet that uses command and control servers to collect information on compromised systems and uses that compromised system as a launching point for further attacks, as seen recently with Clop Ransomware. TrueBot was known for using malicious emails to drop their malware but was recently seen using a Netwrix vulnerability as their delivery method. VMware’s MDR team has seen this vulnerability used firsthand in customer environments, as explored below. TrueBot is also using Raspberry Robin (a worm) as a delivery vector,” noted researchers.
Security Officer Comments:
In its blog post, VMware’s Carbon MDR team highlighted an attack chain leveraged by TrueBot in recent attacks. The initial infection started off with a drive-by-download masquerading as a Chrome update. Users would be prompted to download the following “update[.]exe” executable in order to “update” their browsers. However, instead of a Chrome update, malware would instead be downloaded on the victim’s system, leading to a series of malicious activities.
According to researchers, “upon execution, the malware immediately begins to look for EDR and antivirus software. Once executed, it connected to 94[.]142[.]138[.]61IP, which is a Russian IP address that is known to be attributed to TrueBot. At the address, the executable ‘3ujwy2rz7v[.]exe’ was downloaded and then launched by cmd[.]exe. The executable then connected to the C2 domain name ‘dremmfyttrred[.]com’. The activity thereafter included dumps of LSASS, exfiltration of data, and system and process enumerations.”
Suggested Correction(s):
Update systems on a regular basis as threat actors will exploit vulnerabilities like CVE-2022-31199 to launch attacks on vulnerable devices. To prevent potential TrueBot infections, users should be wary of links or attachments in emails that come from unknown senders. Furthermore, it is also recommended to only download software from the official vendor’s site. Typically cybercriminals will host domains pretending to offer free software installs or updates. However, these are infected with malicious executables, allowing the threat actors to compromise the systems of unsuspecting victims who fall for the lure.
TrueBot IOCs: https://blogs.vmware.com/security/2023/06/carbon-blacks-truebot-detection.html
Link(s):
https://thehackernews.com/2023/06/alarming-surge-in-truebot-activity.html