Experts warn of a surge of TrueBot activity in May 2023

VMware’s Carbon Black Managed Detection and Response (MDR) team observed a surge of TrueBot activity in May 2023.

Researchers at VMware’s Carbon Black Managed Detection and Response (MDR) team warn of a surge of TrueBot activity in May 2023.

Truebot has been active since 2017 and some researchers linked it to the Silence Group, while a recent investigation linked it to threat actor TA505 (aka Evil Corp).

TrueBot is a downloader that gathers information on compromised systems and uses infected systems to carry out other malicious activities, as observed recently with Clop Ransomware

In recent TrueBot attacks, operators exploited a critical vulnerability, tracked as CVE-2022-31199 (CVSS score: 9.8) in Netwrix auditor, as well as Raspberry Robin as delivery vectors.

The attack chain commences with a drive-by-download from Chrome for the executable ‘update.exe’. The threat actors attempt to trick users into downloading and executing the above executable masquerading it as a software update.

Once executed the above file, it connected to 94[.]142.138.61, which is a Russian IP address that is known to be attributed to TrueBot. Then a second-stage executable ‘3ujwy2rz7v.exe’ was downloaded and executed via cmd.exe, then it connected to the C2 domain ‘dremmfyttrred[.]com’.

The latest executable dumps of LSASS, exfiltrates data, and performs system and process enumerations.

“TrueBot can be a particularly nasty infection for any network. When an organization is infected with this malware, it can quickly escalate to become a bigger infection, similar to how ransomware spreads throughout a network.” concludes the report. “Carbon Black is able to quickly detect TrueBot and its associated activity and, with the help of MDR, be able to detect and contain it early in the attack chain before the threat escalates.”

The report also includes Indicators of Compromise (IoCs).

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)