Alarming Surge in TrueBot Activity Revealed with New Delivery Vectors

11 months ago AndyC

Jun
05,
2023Ravie
LakshmananMalware
/
Cyber
Threat

A
surge
in
TrueBot
activity
was
observed
in
May
2023,
cybersecurity
researchers
disclosed.

Alarming Surge in TrueBot Activity Revealed with New Delivery Vectors



Jun
05,
2023Ravie
LakshmananMalware
/
Cyber
Threat


Alarming Surge in TrueBot Activity Revealed with New Delivery Vectors

A
surge
in
TrueBot
activity
was
observed
in
May
2023,
cybersecurity
researchers
disclosed.

“TrueBot
is
a
downloader
trojan
botnet
that
uses
command
and
control
servers
to
collect
information
on
compromised
systems
and
uses
that
compromised
system
as
a
launching
point
for
further
attacks,”
VMware’s
Fae
Carlisle

said.

Active
since
at
least
2017,
TrueBot
is
linked
to
a
group
known
as
Silence
that’s
believed
to
share
overlaps
with
the
notorious
Russian
cybercrime
actor
known
as

Evil
Corp.

Recent

TrueBot
infections
have
leveraged
a
critical
flaw
in
Netwrix
auditor
(CVE-2022-31199,
CVSS
score:
9.8)
as
well
as

Raspberry
Robin
as
delivery
vectors.


TrueBot

The
attack
chain
documented
by
VMware,
on
the
other
hand,
starts
off
with
a
drive-by-download
of
an
executable
named
update.exe
from
Google
Chrome,
suggesting
that
users
are
lured
into
downloading
the
malware
under
the
pretext
of
a
software
update.

Once
run,
update.exe
establishes
connections
with
a
known
TrueBot
IP
address
located
in
Russia
to
retrieve
a
second-stage
executable
(“3ujwy2rz7v.exe”)
that’s
subsequently
launched
using
Windows
Command
Prompt.

The
executable,
for
its
part,
connects
to
a
command-and-control
(C2)
domain
and
exfiltrates
sensitive
information
from
the
host.
It’s
also
capable
of
process
and
system
enumeration.


UPCOMING
WEBINAR

🔐
Mastering
API
Security:
Understanding
Your
True
Attack
Surface

Discover
the
untapped
vulnerabilities
in
your
API
ecosystem
and
take
proactive
steps
towards
ironclad
security.
Join
our
insightful
webinar!

Join
the
Session

“TrueBot
can
be
a
particularly
nasty
infection
for
any
network,”
Carlisle
said.
“When
an
organization
is
infected
with
this
malware,
it
can
quickly
escalate
to
become
a
bigger
infection,
similar
to
how
ransomware
spreads
throughout
a
network.”

The
findings
come
as
SonicWall
detailed
a
new
variant
of
another
downloader
malware
known
as

GuLoader
(aka
CloudEyE)
that’s
used
to
deliver
a
wide
range
of
malware
such
as
Agent
Tesla,
Azorult,
and
Remcos.

“In
the
latest
variant
of
GuLoader,
it
introduces
new
ways
to
raise
exceptions
that
hamper
complete
analysis
process
and
its
execution
under
controlled
environment,”
SonicWall

said.

Found
this
article
interesting?
Follow
us
on

Twitter


and

LinkedIn
to
read
more
exclusive
content
we
post.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

More Stories

Ukraine Targeted in Cyberattack Exploiting 7-Year-Old Microsoft Office Flaw

Ukraine Targeted in Cyberattack Exploiting 7-Year-Old Microsoft Office Flaw

26 mins ago AndyC
Bogus npm Packages Used to Trick Software Developers into Installing Malware

Bogus npm Packages Used to Trick Software Developers into Installing Malware

6 hours ago AndyC
Severe Flaws Disclosed in Brocade SANnav SAN Management Software

Severe Flaws Disclosed in Brocade SANnav SAN Management Software

18 hours ago AndyC
10 Critical Endpoint Security Tips You Should Know

10 Critical Endpoint Security Tips You Should Know

1 day ago AndyC
New 'Brokewell' Android Malware Spread Through Fake Browser Updates

New ‘Brokewell’ Android Malware Spread Through Fake Browser Updates

1 day ago AndyC
Palo Alto Networks Outlines Remediation for Critical PAN-OS Flaw Under Attack

Palo Alto Networks Outlines Remediation for Critical PAN-OS Flaw Under Attack

1 day ago AndyC

You may have missed

Brokewell supports an extensive set of Device Takeover capabilities

Brokewell supports an extensive set of Device Takeover capabilities

21 mins ago AndyC
Ukraine Targeted in Cyberattack Exploiting 7-Year-Old Microsoft Office Flaw

Ukraine Targeted in Cyberattack Exploiting 7-Year-Old Microsoft Office Flaw

26 mins ago AndyC
Bogus npm Packages Used to Trick Software Developers into Installing Malware

Bogus npm Packages Used to Trick Software Developers into Installing Malware

6 hours ago AndyC

Friday Squid Blogging: Searching for the Colossal Squid

12 hours ago AndyC
Showcasing Artwork by Max for Autism Awareness Month

Showcasing Artwork by Max for Autism Awareness Month

12 hours ago AndyC

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.