An alert regarding an increase in Truebot malware activity with new Tactics, Techniques, and Procedures (TTPs) was issued by US and Canadian authorities on July 6, 2023.
A joint recommendation from the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Center for Multinational Information Sharing and Analysis (MS-ISAC), and the Canadian Center for Cybersecurity (CCCS) identified the following threats: I’m here. In the United States and Canada, attackers are leveraging newly identified Truebot malware variants to target organizations in new ways.
Truebot is known to be used by notorious cybercrime gangs such as Clop and Silence to collect and steal information from victims.
This document found that previous Truebot malware variants were primarily delivered via malicious phishing email attachments. However, government agencies have recently noticed a shift in approach with more and more attackers exploiting his CVE-2022-31199 vulnerability to take advantage of botnets.
A remote code execution vulnerability exists in Netwrix Auditor, a software used for auditing on-premises and cloud-based IT systems. Exploiting this CVE allows an attacker to gain initial access and move laterally within a compromised network.
The advisory states that Truebot renames itself and deploys FlawedGrace to the host once the malicious file is downloaded. This remote access tool (RAT) can modify the registry and print spooler programs to elevate privileges and establish persistence.
The agency added that Truebot has been observed in association with many other delivery malware vectors and tools, including Raspberry Robin and Colbalt Strike.
Organizations are advised to take a number of steps to mitigate the growing threat posed by Truebot, including monitoring and controlling software execution and applying vendor patches to Netwrix Auditor.
“Organizations that identify indicators of compromise (IOCs) within their environment should urgently apply the incident response and mitigation measures detailed in this CSA and report the intrusion to CISA or the FBI.” written in the recommendation.
