Cybersecurity regulators in Canada have issued a warning that cybercriminals are now using Truebot malware variants to target organizations in the country. This comes after similar attacks were observed in countries such as Pakistan, Mexico, Brazil, and the United States. The Cybersecurity and Infrastructure Security Agency (CISA) in the US, along with the Federal Bureau of Investigation (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Canadian Centre for Cyber Security (CCCS) have released a joint advisory on the matter.
Truebot, also known as Silence.Downloader, is a botnet that has been utilized by various cybercriminal groups, including the notorious CL0P Ransomware Gang, to gather sensitive information from their victims. In December, cybersecurity researchers identified widespread Truebot malware infections in Mexico, Brazil, Pakistan, and the United States.
The primary objective of the Truebot malware infection is data theft and the execution of Cl0p ransomware. Cyber threat actors deploy Truebot malware variants through phishing campaigns and malicious email attachments. When unsuspecting users click on these links or open the attachments, the Truebot malware is downloaded and executed. In some instances, the malware is concealed within seemingly legitimate file formats, making detection more challenging.
However, newer versions of Truebot have expanded the attack vector by exploiting a remote code execution vulnerability (CVE-2022-31199) in the Netwrix Auditor application. This software is used for auditing IT systems, and by exploiting this vulnerability, cybercriminals can gain initial access to a compromised network.
The recent surge in Truebot malware variants targeting organizations in Canada and the US is believed to be the result of phishing campaigns containing malicious redirect hyperlinks and the exploitation of CVE-2022-31199. The advisory issued by the cybersecurity regulators warns organizations to patch Netwrix Auditor (version 10.5) to mitigate the risk associated with the vulnerability.
Truebot malware operates by downloading and executing itself on the host system. It then loads FlawedGrace, which manipulates registry and print spooler programs to establish persistence and escalate privileges. FlawedGrace can create scheduled tasks, inject payloads into command processes, and establish a command and control connection to the attacker’s server. Truebot also injects Cobalt Strike beacons into memory, allowing the cybercriminals to maintain control over the compromised system.
To evade detection, Truebot performs various tasks such as checking the operating system version, processor architecture, and the presence of security debugger tools. It also synchronizes with the system’s internal clock and sends system information and a unique identifier to a designated URL, establishing a connection with the attacker’s server. This connection enables cybercriminals to send further instructions, download additional malicious payloads, self-replicate within the network, delete files used during its operations, and exfiltrate sensitive data.
The increase in Truebot malware attacks highlights the evolving tactics and techniques used by cybercriminals to target organizations worldwide. It is crucial for organizations to remain vigilant, regularly update their systems, and educate their employees about the risks of phishing campaigns and the importance of practicing good cybersecurity hygiene. By adopting these proactive measures, organizations can strengthen their defenses against Truebot malware and other cyber threats.