FlawedGrace – a RAT that can receive incoming commands from a C2 server sent over a custom binary protocol.Raspberry Robin malware – one of the largest malware distribution platforms. Truebot has been observed associated with the following delivery vectors and tools – With this established connection, Truebot uses a second obfuscated domain to receive additional payloads, self-replicate across the environment, and/or delete files used in its operations. The POST request functions as means for establishing a C2 connection for bi-lateral communication. A unique 13-character globally unique identifier (GUID) is also created to label and organize the collected data.įollowing Truebot’s enumeration of running processes and tools, the affected system’s computer and domain name, and GUID are sent to a hard coded URL via a POST request. Truebot also has the ability to discover software security protocols and system time metrics, which aids in defense evasion, as well as enables synchronization with the compromised system’s internal clock to facilitate scheduling tasks. Post initial access, Truebot has been observed injecting Cobalt Strike beacons into Windows memory.ĭuring the first stage of Truebot’s execution process, it checks the current version of the operating system (OS) and processor architecture allowing it to enumerate all running processes, collect sensitive local host data, and send this data to an encoded data string for second-stage execution. This tool can create tasks and inject payloads into command processes that allow FlawedGrace to setup command and control (C&C) and inject dynamic link libraries (DLLs) to escalate attacker privileges. FlawedGrace manipulates these features to both escalate privilege and establish persistence.ĭuring FlawedGrace’s execution phase, the RAT stores encrypted payloads inside the Windows registry. FlawedGrace is able to modify registry and print spooler programs that control the order that documents are loaded to a print queue. Once the Truebot file is successfully delivered/ downloaded on the victim network, Truebot renames itself and loads FlawedGrace – a remote access trojan (RAT) onto the network. Exploiting this vulnerability allows the attackers to gain an initial foothold within victim networks and move laterally within the compromised network. The newly discovered Truebot variants have been delivered by exploiting a RCE vulnerability (CVE-2022-31199) in Netwrix Auditor – a tool used for IT system auditing. Additionally, it has also been observed that threat actors are very adept at hiding the Truebot malware within legitimate-looking file formats. Traditionally, threat actors have leveraged phishing to trick users into clicking a malicious link that downloads Truebot malware on their systems. TrueBot is a malware downloader linked to the Russian-speaking Silence cybercrime group and used by TA505 hackers (associated with the FIN11 group) to deploy Clop ransomware on compromised networks since December 2022. Based on the current information available, threat actors are leveraging previously used phishing campaigns (with malicious hyperlink redirects) in addition to exploiting the above-listed vulnerability to deliver the newer malware variants. By exploiting this vulnerability, threat actors can deploy the Truebot malware at scale in victim networks. CVE-2022-31199 is a remote code execution (RCE) vulnerability in the Netwrix Auditor application. and Canada-Based Networks.Īccording to the advisory, newer Truebot variants have been exploiting CVE-2022-31199 to gain initial access to victim networks. Detailed information is listed in US-CERT Alert AA23-187A – Increased Truebot Activity Infects U.S. Truebot (also known as Silence Downloader) is a botnet that has been used by the CL0P ransomware gang to collect and exfiltrate stolen target victim information. On July 6 th, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Canadian Centre for Cyber Security (CCCS) released an advisory highlighting the newly identifying Truebot malware variants. Author: Kaustubh Jagtap, Product Marketing Director, SafeBreach
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |