Categories
Cybersecurity Advisories

AA23-187A: Truebot Malware Infects Networks in U.S. and Canada

The CISA, FBI, MS-ISAC, and CCCS have released a joint cybersecurity advisory regarding cyber threat actors leveraging newly identified Truebot malware variants against organizations in the United States and Canada. These attacks are exploiting a critical remote code execution (RCE) vulnerability, tracked as CVE-2022-31199 (CVSSv3 score: 9.8 – Critical), in the Netwrix Auditor software to deliver Truebot. Threat actors are leveraging this flaw to gain initial access and move laterally within the compromised network. 

Truebot is a botnet that is linked to the Russian-speaking Silence cybercrime group and used by TA505 hackers (associated with the FIN11 group) to deploy Clop ransomware on compromised networks since December 2022. Previous malware variants of Truebot were primarily delivered by cyber threat actors via malicious phishing email attachments. However, recent versions allow them to also gain initial access through exploiting CVE-2022-31199, enabling deployment of the malware at scale within the compromised environment. Based on the nature of observed Truebot operations, the main goal of the adversaries is to steal sensitive information from compromised systems for financial gain. 

The malware has also been used alongside other malware in attacks. In several incidents, shortly after Truebot was executed, the Cobalt Strike tool was deployed for persistence and data exfiltration purposes. In addition, some phishing campaigns consisted of the FlawedGrace RAT being deployed only minutes after the Truebot malware was executed. Researchers have also found Truebot attacks leveraging a custom data exfiltration tool called “Teleport” that was used to steal information. 

When an organization is infected with Truebot, it can quickly escalate to become a bigger infection, similarly to how ransomware spreads throughout a network. The change in delivery vector shows that attacks leveraging the malware are continuing to evolve. 

CVE-2022-3199 Delivery Method for Truebot 

SecurIT360 SOC Managed Services     

If you utilize our SOC Managed Services, here are the actions we are taking to help detect this activity:    

MDR Services    

  • We utilize several threat feeds that are updated frequently on a daily basis.  
  • In addition to our automatic threat feeds, we have added known indicators of compromise related to this threat into our MDR solution, FortiSIEM.    

EDR Services    

  • In addition to ongoing vendor IoC updates, we have added known indicators of compromise related to this threat into our EDR solutions to help with detection.     

Indicators are provided in the Indicators of Compromise section below for your reference.   

As always, if we detect activity related to these exploits, we will alert you when applicable.    

Please feel free to contact the SOC via email (soc@securit360.com) or telephone (844-474-1244) if you have any questions or concerns.     

Mitigations 

  • All Netwrix Auditor customers are advised to upgrade to version 10.5.10977.0 and ensure that no Netwrix Auditor systems are exposed to the internet. 
  • CISA has posted guidelines and recommends organizations to mandate MFA for all staff and services. 

MITRE Summary 

Technique Title 

ID 

Use 

Initial Access 

  

Replication Through Removable Media 

T1091

Cyber threat actors use removable media drives to deploy Raspberry Robin malware. 

Drive-by Compromise 

T1189 

Cyber threat actors embed malicious links or attachments within web domains to gain initial access. 

Exploit Public-Facing Application 

T1190 

Cyber threat actors are exploiting Netwrix vulnerability CVE-2022-31199 for initial access with follow-on capabilities of lateral movement through remote code execution. 

Phishing 

T1566.002 

Truebot actors can send spear phishing links to gain initial access. 

Execution 

  

Command and Scripting Interpreter 

T1059 

Cyber threat actors have been observed dropping cobalt strike beacons as a reverse shell proxy to create persistence within the compromised network. 

Cyber threat actors use FlawedGrace to receive PowerShell commands over a C2 channel to deploy additional tools. 

Shared Modules 

T1129 

Cyber threat actors can deploy malicious payloads through obfuscated share modules. 

User Execution: Malicious Link 

T1204.001 

Cyber threat actors trick users into clicking a link by making them believe they need to perform a Google Chrome software update. 

Persistence 

  

Hijack Execution Flow: DLL Side-Loading 

T1574.002 

Cyber threat actors use Raspberry Robin, among other toolsets to side-load DLLs to maintain persistence. 

Privilege Escalation 

  

Boot or Logon Autostart Execution: Print Processors 

T1547.012 

FlawedGrace malware manipulates print spooler functions to achieve privilege escalation. 

Defense Evasion 

  

Obfuscated Files or Information 

T1027 

Truebot uses a .JSONIP extension (e.g., IgtyXEQuCEvAM.JSONIP), to create a GUID. 

Obfuscated Files or Information: Binary Padding 

T1027.001 

Cyber threat actors embed around one gigabyte of junk code within the malware string to evade detection protocols. 

Masquerading: Masquerade File Type 

T1036.008 

Cyber threat actors hide Truebot malware as legitimate appearing file formats. 

Process Injection 

T1055 

Truebot malware has the ability to load shell code after establishing a C2 connection. 

Indicator Removal: File Deletion 

T1070.004 

Truebot malware implements self-deletion TTPs throughout its attack cycle to evade detection. 

Teleport exfiltration tool deletes itself after it has completed exfiltrating data to the C2 station. 

Modify Registry 

T1112 

FlawedGrace is able to modify registry programs that control the order that documents are loaded to a print que. 

Reflective Code Loading 

T1620 

Truebot malware has the capability to load shell code and deploy various tools to stealthily navigate an infected network. 

Credential Access 

  

OS Credential Dumping: LSASS Memory 

T1003.001 

Cyber threat actors use cobalt strike to gain valid credentials through LSASS memory dumping. 

Discovery 

  

System Network Configuration Discovery 

T1016 

Truebot malware scans and enumerates the affected system’s domain names. 

Process Discovery 

T1057 

Truebot malware enumerates all running processes on the local host. 

System Information Discovery 

T1082 

Truebot malware scans and enumerates the OS version information, and processor architecture. 

Truebot malware enumerates the affected system’s computer names. 

System Time Discovery 

T1124 

Truebot has the ability to discover system time metrics, which aids in enables synchronization with the compromised system’s internal clock to facilitate scheduling tasks. 

Software Discovery: Security Software Discovery 

T1518.001 

Truebot has the ability to discover software security protocols, which aids in defense evasion. 

Debugger Evasion 

T1622 

Truebot malware scans the compromised environment for debugger tools and enumerates them in effort to evade network defenses. 

Lateral Movement 

  

Exploitation of Remote Services 

T1210 

Cyber threat actors exploit CVE-2022-31199 Netwrix Auditor vulnerability and use its capabilities to move laterally within a compromised network. 

Use Alternate Authentication Material: Pass the Hash 

T1550.002 

Cyber threat actors use cobalt strike to authenticate valid accounts 

Remote Service Session Hijacking 

T1563.001 

Cyber threat actors use cobalt strike to hijack remote sessions using SSH and RDP hijacking methods. 

Remote Service Session Hijacking: RDP Hijacking 

T1563.002 

Cyber threat actors use cobalt strike to hijack remote sessions using SSH and RDP hijacking methods. 

Lateral Tool Transfer 

T1570 

Cyber threat actors deploy additional payloads to transfer toolsets and move laterally. 

Collection 

  

Data from Local System 

T1005 

Truebot malware checks the current version of the OS and the processor architecture and compiles the information it receives. 

Screen Capture 

T1113 

Truebot malware takes snapshots of local host data, specifically processor architecture data, and sends that to a phase 2 encoded data string. 

Truebot gathers and compiles compromised system’s host and domain names. 

Command and Control 

  

Application Layer Protocol 

T1071 

Cyber threat actors use teleport exfiltration tool to blend exfiltrated data with network traffic. 

Non-Application Protocol 

T1095 

Cyber threat actors use Teleport and FlawedGrace to send data over custom communication protocol. 

Ingress Transfer Tool 

T1105 

Cyber threat actors deploy various ingress transfer tool payloads to move laterally and establish C2 connections. 

Encrypted Channel: Asymmetric Cryptography 

T1573.002 

Cyber threat actors use Teleport to create an encrypted channel using AES. 

Exfiltration 

  

Scheduled Transfer 

T1029 

Teleport limits the data it collects and syncs with outbound organizational data/network traffic. 

Data Transfer Size Limits 

T1030 

Teleport limits the data it collects and syncs with outbound organizational data/network traffic. 

Exfiltration Over C2 Channel 

T1048 

Cyber threat actors blend exfiltrated data with network traffic to evade detection. 

Cyber threat actors use the Teleport tool to exfiltrate data over a C2 protocol. 

Indicators of Compromise 

Resources & Related Articles