TrueBot infections were observed in Clop ransomware attacks

Researchers reported an increase in TrueBot infections, attackers have shifted from using malicious emails as their primary delivery method to other techniques.

Cisco Talos researchers reported an increase in TrueBot infections, threat actors have shifted from using malicious emails as their primary attack vector to other techniques.

Truebot has been active since 2017 and some researchers linked it to the Silence Group, while a recent investigation linked it to threat actor TA505 (aka Evil Corp).

The Talos experts identified two different Truebot botnets, one is distributed worldwide, with a particular focus on Mexico, Pakistan, and Brazil, and the second one is focused on the US.

The delivery methods used in recent attacks include the exploitation of a now-patched vulnerability (CVE-2022-31199) in Netwrix Auditor, an IT asset management tool, and the Raspberry Robin worm.

The experts highlighted that the attacks took place only a few weeks after the vulnerability was publicly disclosed, a circumstance that suggests threat actors quickly test new attack vectors.

The researchers believe with moderate confidence that during November, the threat actors started using yet another distribution technique.

“Recently, the attackers have shifted from using malicious emails as their primary delivery method to other techniques. In August, we saw a small number of attacks that exploited a recent remote code execution vulnerability in Netwrix auditor. In October, a larger number of infections leveraged Raspberry Robin, a recent malware spread through USB drives, as a delivery vector.” reads the analysis published by Talos. “Post-compromise activity included data theft and the execution of Clop ransomware.”

Truebot is a downloader malware, it is used to infect systems, collect information on the targets, and deploy additional malicious payloads. Gathered data are sent back to the attacker’s command and control (C2). 

The researchers noticed a set of commands to exfiltrate stolen data through a previously unknown custom tool dubbed Teleport.

The analysis of the commands issued via Teleport reveals that the tool is used by the attackers to collect files from OneDrive and Downloads folders, and from the victim’s Outlook email messages.

Talos telemetry reported multiple occurrences of Raspberry Robin delivering Truebot.

The researchers investigated an attack leveraging Truebt to deliver the Clop ransomware.

“The attackers, however, appear to have switched to an unknown TrueBot distribution mechanism starting in November, with the vector succeeding in co-opting over 500 internet-facing Windows servers located in the U.S., Canada, and Brazil into a botnet.” concludes the report that also includes Indicators of Compromise (IoCs).

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, TrueBot)

[adrotate banner=”5″]

[adrotate banner=”13″]