Pierluigi Paganini July 07, 2023

CISA and the FBI warned today of a new Truebot variant employed in attacks against organizations in the United States and Canada.

A new variant of the Truebot malware was used in attacks against organizations in the United States and Canada. Threat actors compromised target networks by exploiting a critical remote code execution (RCE) vulnerability in the Netwrix Auditor software tracked as CVE-2022-31199.

🚨 ALERT: Increased #Truebot malware activity targets U.S. & Canada organizations.

🤝 Joint advisory by @CISAgov, @FBI, @CISecurity's MS-ISAC, & @cybercentre_ca reveals new variants exploiting #Netwrix Auditor vulnerability.

🔗 https://t.co/04ZzAWnmMn #Cybersecurity pic.twitter.com/8hTbDVxJVm

— CISA Cyber (@CISACyber) July 6, 2023

The flaws CVE-2022-31199 reside in the Netwrix Auditor User Activity Video Recording component and affect both the Netwrix Auditor server and agents installed on monitored systems. The remote code execution vulnerabilities exist within the underlying protocol used by the component, and potentially allow an unauthenticated remote attacker to execute arbitrary code as the NT AUTHORITY\SYSTEM user.

Truebot has been active since 2017 and some researchers linked it to the Silence Group, while a recent investigation linked it to threat actor TA505 (aka Evil Corp).

TrueBot is a downloader that gathers information on compromised systems and uses infected systems to carry out other malicious activities, as observed recently with Clop Ransomware.

VMware’s Carbon Black Managed Detection and Response (MDR) team observed a surge of TrueBot activity in May 2023.

Once deployed the TrueBot malware on compromised breached networks, threat actors deliver the FlawedGrace RAT, which is a malware known to be part of the TA505 group’s arsenal. The attackers use the malware to escalate privileges and maintain persistence on the compromised systems.

Several hours after the initial infection, Truebot has been observed injecting Cobalt Strike beacons into memory. The beacons remain in a dormant mode for the first few hours prior to initiating additional operations.

“Based on confirmation from open-source reporting and analytical findings of Truebot variants, the authoring organizations assess cyber threat actors are leveraging both phishing campaigns with malicious redirect hyperlinks and CVE-2022-31199 to deliver new Truebot malware variants.” concludes the joint report published by CISA, the FBI and MS-ISAC and the Canadian Centre for Cyber Security.

“The authoring organizations recommend hunting for the malicious activity using the guidance outlined in this CSA, as well as applying vendor patches to Netwrix Auditor (version 10.5—see Mitigations section below).[1] Any organization identifying indicators of compromise (IOCs) within their environment should urgently apply the incident responses and mitigation measures detailed in this CSA and report the intrusion to CISA or the FBI.”

The joint report also includes indicators of compromise (IOCs) and Yara rules to detect the threat.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Netwrix Auditor)