A spike in TrueBot activity was observed in May 2023, cybersecurity researchers say.
“TrueBot is a downloader trojan botnet that uses a command and control server to gather information about compromised systems and uses those compromised systems as a launching point for further attacks,” Fae Carlisle of VMware said.
Active since at least 2017, TrueBot is linked to a group known as Silence which is believed to share overlap with a notorious Russian cybercrime actor known as Evil Corp.
The recent TrueBot infection has raised a critical weakness in Netwrix auditors (CVE-2022-31199, CVSS score: 9.8) as well as Raspberry-Robin as a delivery vector.
The attack chain documented by VMware, on the other hand, starts with a drive-by-download of an executable file named “update.exe” from Google Chrome, indicating that users were lured into downloading malware under the pretext of a software update.
Once executed, update.exe establishes a connection with a TrueBot IP address known to be located in Russia to retrieve the second stage executable (“3ujwy2rz7v.exe”) which is then launched using the Windows Command Prompt.
The executable, for its part, connects to the command-and-control (C2) domain and extracts sensitive information from the host. It is also capable of calculating processes and systems.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards tight security. Join our insightful webinar!
“TrueBot can be a very nasty infection for any network,” said Carlisle. “When an organization is infected with this malware, it can quickly escalate into a larger infection, similar to how ransomware spreads across networks.”
The findings come as SonicWall details a new variant of another downloading malware known as GuLoader (aka CloudEyE) that is used to deliver a variety of malware such as Agent Tesla, Azorult, and Remcos.
“In the latest variant of GuLoader, it introduces a new way to raise exceptions that hinder the complete analysis process and its execution in a controlled environment,” SonicWall said.