Researchers at VMware’s Carbon Black Managed Detection and Response (MDR) team warn of a surge of TrueBot activity in May 2023.
Truebot has been active since 2017 and some researchers linked it to the Silence Group, while a recent investigation linked it to threat actor TA505 (aka Evil Corp).
TrueBot is a downloader that gathers information on compromised systems and uses infected systems to carry out other malicious activities, as observed recently with Clop Ransomware
In recent TrueBot attacks, operators exploited a critical vulnerability, tracked as CVE-2022-31199 (CVSS score: 9.8) in Netwrix auditor, as well as Raspberry Robin as delivery vectors.
The attack chain commences with a drive-by-download from Chrome for the executable ‘update.exe’. The threat actors attempt to trick users into downloading and executing the above executable masquerading it as a software update.
Once executed the above file, it connected to 94[.]142.138.61, which is a Russian IP address that is known to be attributed to TrueBot. Then a second-stage executable ‘3ujwy2rz7v.exe’ was downloaded and executed via cmd.exe, then it connected to the C2 domain ‘dremmfyttrred[.]com’.
The latest executable dumps of LSASS, exfiltrates data, and performs system and process enumerations.
“TrueBot can be a particularly nasty infection for any network. When an organization is infected with this malware, it can quickly escalate to become a bigger infection, similar to how ransomware spreads throughout a network.” concludes the report. “Carbon Black is able to quickly detect TrueBot and its associated activity and, with the help of MDR, be able to detect and contain it early in the attack chain before the threat escalates.”
The report also includes Indicators of Compromise (IoCs).
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, malware)
A vulnerability could allow recovery of the phone number associated with a Google account by…
Hackers breached Texas DOT (TxDOT), stealing 300,000 crash reports with personal data from its Crash…
SAP fixed a critical NetWeaver flaw that let attackers bypass authorization and escalate privileges. Patch…
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds RoundCube Webmail and Erlang Erlang/OTP SSH server flaws…
Mirai botnets are exploiting CVE-2025-24016, a critical remote code execution flaw in Wazuh servers, Akamai…
China-linked threat actor targeted over 70 global organizations, including governments and media, in cyber-espionage attacks…
This website uses cookies.
