A recent discovery has revealed that a new strain of malware known as Truebot is targeting organizations in the United States and Canada. The malware relies on exploiting vulnerabilities in the Netwrix Auditor application (CVE-2022-31199) to gain access to sensitive information, which is then exfiltrated for malicious purposes.
Truebot is categorized as a botnet, a network of infected computers that are controlled by a central command and control (C2) server. It is primarily distributed through phishing campaigns, where unsuspecting victims are tricked into interacting with malicious emails or attachments. In this case, the attackers behind Truebot are using the Netwrix Auditor vulnerability to deliver the payload and gain access to targeted machines.
The delivery method involves concealing the Truebot payload as a legitimate software update notification in emails. When users execute these emails, they are redirected to a malicious domain, where script files are executed to collect sensitive information from the infected machine. This information can include login credentials, financial data, and other valuable information that can be used for unauthorized activities.
The increase in Truebot activity has caught the attention of cybersecurity organizations, particularly the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI). In a joint effort, these agencies have issued warnings to organizations about the heightened activity of the Truebot malware variant. These warnings serve as a precautionary measure for organizations to enhance their cybersecurity defenses and protect their systems against potential attacks.
The Truebot malware variant has been linked to the CL0P Ransomware Gang, a notorious cybercriminal group known for carrying out ransomware attacks. As such, the motives behind the Truebot attacks may involve extortion or other types of cybercriminal activities. The exploitation of the Netwrix Auditor vulnerability allows the attackers to move laterally within the network, potentially gaining access to additional systems and escalating their attack.
To achieve persistence and establish connections with the C2 server, Truebot utilizes various tools and techniques. It initially loads a remote access tool called Flawed Grace, which stores payloads and injects additional payloads into scheduled tasks. This allows the malware to maintain a foothold in the infected system and continue its malicious operations. Additionally, the malware uploads Cobalt Strike beacons into memory for further exploitation and control.
Mitigating the Truebot malware attack involves patching the vulnerability in Netwrix Auditor and ensuring that all software and applications are up to date. This prevents attackers from exploiting known vulnerabilities and gaining unauthorized access to systems. In addition to patching, organizations should also implement controls to prevent remote execution attempts, limiting the potential for malware to spread.
To assist organizations in identifying the Truebot malware, indicators of compromise (IOCs) have been provided. These include several MD5 and SHA256 hash values associated with the malware. By analyzing these IOCs, organizations can detect and respond to any potential infections, preventing further damage to their systems and data.
In conclusion, the discovery of the Truebot malware variant targeting US and Canada-based organizations highlights the need for increased cybersecurity vigilance. By exploiting vulnerabilities in the Netwrix Auditor application, attackers are able to gain unauthorized access to sensitive information and exfiltrate it for malicious purposes. Organizations must take immediate action to patch the vulnerability, update their software, and implement appropriate security controls to mitigate the risk of a Truebot attack.