Dive Brief:
- Federal authorities are warning that hackers are leveraging TrueBot malware, also known as Silence Downloader, in phishing attacks against U.S. and Canadian targets, officials including the FBI and Cybersecurity and Infrastructure Security Agency said Thursday.
- Since late May, malicious actors have been exploiting a known vulnerability in Netwrix Auditor, identified as CVE-2022-31199, for initial access to deliver new TrueBot variants and steal data from targeted entities.
- Authorities describe TrueBot as a botnet that groups like the Clop ransomware gang use to collect and exfiltrate data from organizations.
Dive Insight:
Researchers from VMware Carbon Black on June 1 reported a surge in activity from TrueBot, which has been in circulation since 2017. TrueBot collects information on compromised targets using command and control servers and then uses the compromised systems to launch additional attacks, according to VMware Carbon Black researchers.
Researchers say Silence Group has been actively developing TrueBot recently, using Netwrix Auditor. Silence Group is historically known for targeting banks and financial institutions, however recent actions have targeted the education sector.
TrueBot previously tricked users into clicking malicious hyperlinks to deliver malware, according to the advisory. In some cases email attachments are concealed as notifications of software updates.
Once malicious files are downloaded, the malware renames itself and loads a remote access tool called FlawedGrace onto the host system, officials said.
Netwrix Auditor is a software that is used to locate data and infrastructure security gaps in both cloud and on-premises environments, according to Gerrit Lansing, CSO at Netwrix. More than 7,000 organizations use the software.
“This vulnerability may permit an attacker to execute arbitrary code on a Netwrix Auditor system that is exposed to the internet, contrary to deployment best practices,” Lansing said via email.
In June 2022, the company released version 10.5.10936.0, which included a remediation for the vulnerability, according to Lansing. Customers were also advised not to expose the software to the internet.
Lansing said that customers not exposed to the internet are at low risk, but all customers should now upgrade to version 10.5.10977.0. Customers exposed to the internet should immediately block such access.
Mandiant researchers have seen increased diversity in how the malware, which they call Truecore, is being delivered by the threat actor called FIN11. The group has historically leaked data on Clop’s site, with victims in the U.S., Canada, U.K., Australia, Colombia and Germany.
The increased number of methods may indicate “FIN11 is forming partnerships with distribution threat clusters or recruiting new team members,” Jeremy Kennelly, Mandiant lead analyst of financial crime analysis at Google Cloud, said via email.
Mandiant has also seen the malware spread via websites masquerading as popular software brands or exploited vulnerabilities, including CVE-2023-0669 and CVE-2021-35211, which impact GoAnywhere MFT and SolarWinds Serv-U MFT, respectively, Kennelly said.
The Multi-State Information Sharing and Analysis Center and the Canadian Centre for Cyber Security also participated in the advisory.