The U.S. government is warning of an increase in attacks that are leveraging new variants of the six-year-old TrueBot malware in order to exfiltrate data from victim organizations.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), along with the FBI and other agencies, said that they have observed threat groups using newly identified TrueBot malware variants in attacks in the U.S. and Canada as recently as May 31. These attacks are exploiting a known, critical-severity vulnerability (CVE-2022-31199) in the Netwrix Auditor security audit tool to deliver TrueBot. Threat actors have leveraged this flaw to gain initial access and move laterally within the compromised network, said CISA.
“Previous TrueBot malware variants were primarily delivered by cyber threat actors via malicious phishing email attachments; however, newer versions allow cyber threat actors to also gain initial access through exploiting CVE-2022-31199—(a remote code execution vulnerability in the Netwrix Auditor application), enabling deployment of the malware at scale within the compromised environment,” according to CISA’s advisory on Thursday.
In addition to the U.S. government, security researchers have closely tracked campaigns that involve TrueBot. In June, VMware’s Carbon Black team said it saw a surge in TrueBot activity in May and noted the shift to using the Netwrix Auditor vulnerability as a delivery method. Researchers said they also observed the Raspberry Robin malware deploying TrueBot in addition to other post-compromise payloads, like IcedID and Bumblebee.
The malware has been used alongside other malware in attacks. For instance, in several incidents, a few hours after TrueBot was executed the Cobalt Strike tool was deployed for persistence and data exfiltration purposes, mostly via LSASS memory credential dumping. And minutes after the TrueBot malware was executed in some phishing campaigns, the FlawedGrace remote access tool (RAT) was deployed.
Researchers with Cisco Talos also found TrueBot attacks leveraging a custom data exfiltration tool called “Teleport” that was used to steal information.
While TrueBot has been around since at least 2017, this change in delivery vector makes it clear that attacks leveraging the malware are continuing to evolve. The malware has been linked to a threat actor called Silence Group, which is known for targeting banks, financial institutions and sometimes the education sector. However, the malware has been used in a wide array of attacks; in April, for instance, TrueBot was observed by Microsoft researchers being used in PaperCut flaw attacks that were attributed to a Clop affiliate, which is tracked as DEV-0950 or Lace Tempest.
CISA published further details on the new TrueBot downloader variants, as well as the related IoCs for its recent campaigns. The agency urged organizations to apply patches to the Netwrix Auditor remote code execution flaw, if needed.
“Any organization identifying indicators of compromise (IOCs) within their environment should urgently apply the incident responses and mitigation measures detailed in this [Cybersecurity Advisory] and report the intrusion to CISA or the FBI,” according to CISA’s advisory.