Alarming Surge in TrueBot Activity Revealed with New Delivery Vectors

June 5, 2023Ravi LakshmananMalware/Cyberthreat

Cybersecurity researchers have revealed that they observed a spike in TrueBot activity in May 2023.

VMware’s Fae Carlisle said, “TrueBot is a downloader Trojan botnet that uses command and control servers to gather information about compromised systems and uses the compromised systems as launching points for further attacks. ‘ said.

TrueBot has been active since at least 2017 and is associated with a group known as Silence, believed to have commonalities with the notorious Russian cybercriminal known as Evil Corp.

A recent TrueBot infection exploited a critical Netwrix audit flaw (CVE-2022-31199, CVSS score: 9.8) and Raspberry Robin as a delivery vector.

Meanwhile, the attack chain documented by VMware begins with a drive-by download of an executable called “update.exe” from Google Chrome, where users are tricked into downloading malware under the guise of a software update. Suggested. .

When update.exe runs, it establishes a connection with a known TrueBot IP address located in Russia and retrieves the second stage executable (“3ujwy2rz7v.exe”). This executable is then launched using the Windows Command Prompt.

This executable connects to a command and control (C2) domain and extracts sensitive information from the host. Enumeration of processes and systems is also possible.

“TrueBot can be a particularly nasty infection for any network,” said Carlyle. “Once an organization is infected with this malware, it can quickly spread and develop into a larger infection, much like ransomware spreads across a network.”

The findings follow SonicWall detailing a new variant of another downloader malware known as GuLoader (aka CloudEyE) that is used to deliver a wide range of malware, including Agent Tesla, Azorult and Remcos. I was.

“The latest variant of GuLoader introduces new ways to raise exceptions that prevent the full analysis process and execution in a controlled environment,” SonicWall said.