Cybercrime , Fraud Management & Cybercrime , Malware as-a-Service

Updated Truebot Malware Targeting Orgs in US, Canada

New Variant of Trojan Called Silence.Downloader Seen in May
Updated Truebot Malware Targeting Orgs in US, Canada

North American cybersecurity agencies are warning about a new variant of the Truebot Trojan that collects and exfiltrates information from victims.

See Also: How to Build Your Cyber Recovery Playbook

In an advisory published Thursday, the U.S. Cybersecurity and Infrastructure Security Agency, the FBI, the Multi-State Information Sharing and Analysis Center and the Canadian Center for Cyber Security warn that cybercriminals were using the newly identified variant, tracked as Silence.Downloader, as recently as May 31.

Silence.Downloader attacks a known critical-severity vulnerability CVE-2022-31199 - a remote code execution vulnerability in Netwrix Auditor. Threat actors have leveraged this flaw to gain initial access and move laterally within the compromised network, CISA said. Threat actors leverage phishing campaigns with malicious redirect hyperlinks and CVE-2022-31199 to deliver new variant, CISA said.

"Previous Truebot malware variants were primarily delivered by cyber threat actors via malicious phishing email attachments, but this newer versions allow cyber threat actors to also gain initial access through exploiting CVE-2022-31199, enabling deployment of the malware at scale within the compromised environment," CISA said in the advisory.

Over 13,000 organizations worldwide use the Netwrix audit tool for on-premises and cloud-based IT system auditing. It tracks happenings across IT environment to streamline IT tasks, prevent issues and send reports to stakeholders automatically.

The VMware Carbon Black MDR team last month reported a surge in Truebot activity and said the Netwrix Auditor vulnerability was being used as a delivery method.

Once the malware is installed in a target machine, Truebot renames itself and loads FlawedGrace onto the host. FlawedGrace is a remote access tool used in Truebot operations.

Once Truebot is deployed, FlawedGrace modifies the registry and print spooler programs that control the order that documents are loaded to a print queue. The tool also manipulates these features to escalate privilege and establish persistence.

During FlawedGrace's execution phase, the RAT stores encrypted payloads within the registry, creates scheduled tasks, and injects payloads into msiexec.exe and svchost.exe, which are command processes that enable FlawedGrace to establish a command-and-control connection to, for example, as well as load dynamic link libraries to accomplish privilege escalation, the agencies said.

In April, the Russian-speaking Clop ransomware-as-a-service gang exploited two vulnerabilities in Australian firm PaperCut's print management software to target multiple organizations. It deployed Truebot to inject the Clop ransomware in affected systems (see: Ransomware Hackers Exploit PaperCut Bugs).

Earlier this year, the Clop ransomware gang took responsibility for more than 50 attacks that exploited a vulnerability in the GoAnywhere file transfer software (see: Clop GoAnywhere Attacks Have Now Hit 130 Organizations).

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.