After Pakistan, Mexico, Brazil, and the US, cybercriminals are using Truebot malware variants to target organizations in Canada, cybersecurity regulators warned.
CISA, USA, along with the Federal Bureau of Investigation (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Canadian Centre for Cyber Security (CCCS), has issued a joint advisory on the latest development.
Truebot, also known as Silence.Downloader, is a botnet that has been utilized by malicious cyber groups, including the notorious CL0P Ransomware Gang, to gather sensitive information from their victims.
Cybersecurity researchers in December spotted widespread Truebot malware infections in Mexico, Brazil, and Pakistan, along with the United States, The Cyber Express reported earlier.
In that case, the primary objective of TrueBot malware infection was data theft and the execution of Cl0p ransomware.
The US and Canadian regulators detected a surge in the usage of new Truebot malware variants to target organizations in the region late in May, 2023.
“Based on confirmation from open-source reporting and analytical findings of Truebot variants, the four organizations assess cyber threat actors leveraged the malware through phishing campaigns containing malicious redirect hyperlinks,” said the advisory.
Understanding Truebot malware and Its operations
Truebot malware is a type of malicious software that poses a significant threat to organizations. By gaining unauthorized access to computer systems, it allows cybercriminals to steal sensitive data and carry out various malicious activities.
Traditionally, cyber threat actors deployed Truebot malware variants through malicious email attachments in phishing campaigns.
When unsuspecting users click on these links or open the attachments, the Truebot malware is downloaded and executed.
In some instances, cybercriminals even conceal the malware within seemingly legitimate file formats, making detection more challenging.
However, the newer versions have expanded the attack vector by exploiting a remote code execution vulnerability (CVE-2022-31199) in the Netwrix Auditor application.
This software is used for auditing IT systems. By exploiting this vulnerability, cybercriminals can gain initial access to a compromised network, allowing them to move laterally and escalate their activities.
“Open-source reporting and analytical findings show that cyber threat actors are using both phishing campaigns with malicious redirect hyperlinks and CVE-2022-31199 exploitation to deliver new Truebot malware variants,” said the advisory.
The advisory warned organizations to patch Netwrix Auditor (version 10.5) to mitigate the risk associated with CVE-2022-31199.
Tapping the Netwrix Auditor advisory is an old game for the threat actors behind Truebot malware, shows a
Cisco Talos researchers in December reported an increase in TrueBot malware infections targeting various countries, including Mexico, Brazil, Pakistan, and the United States.
“Recently, the attackers have shifted from using malicious emails as their primary delivery method to other techniques,” said the Cisco Talos report.
“In August, we saw a small number of attacks that exploited a recent remote code execution vulnerability in Netwrix auditor.”
Truebot malware: Entry and spread
“Following the successful download of the malicious file, Truebot renames itself and then loads FlawedGrace onto the host,” said the advisory.
“After deployment by Truebot, FlawedGrace is able to modify registry and print spooler programs that control the order that documents are loaded to a print queue.”
FlawedGrace manipulates these features to both escalate privilege and establish persistence. It can create scheduled tasks, inject payloads into command processes, and establish a command and control (C2) connection to the attacker’s server.
This connection enables the cybercriminals to control the compromised system remotely and execute further malicious activities.
Truebot also injects Cobalt Strike beacons into memory. These beacons allow the attackers to maintain control over the compromised system, even after the initial infection.
By injecting these beacons, cybercriminals can continue their malicious operations while evading detection.
To gather information and evade detection, Truebot performs various tasks.
It checks the operating system version, processor architecture, and the presence of security debugger tools.
This information helps the malware adapt its operations and avoid detection by security measures. Truebot also synchronizes with the system’s internal clock, facilitating the scheduling of tasks.
When it comes to data collection and exfiltration, Truebot sends system information and a unique identifier (GUID) to a designated URL, establishing a connection with the attacker’s server.
This connection allows cybercriminals to send further instructions, download additional malicious payloads, self-replicate within the network, delete files used during its operations, and exfiltrate sensitive data from the compromised system.