The cybersecurity agency has warned about the emergence of a new variant of the TrueBot malware. This enhanced threat is now targeting companies in the US and Canada with the goal of extracting confidential data from compromised systems.
This sophisticated attack exploits a critical vulnerability (CVE-2022-31199) in the widely used Netwrix Auditor server and its associated agents.
This vulnerability allowed an unauthorized attacker to execute malicious code with the SYSTEM user privileges, giving them unrestricted access to a compromised system.
The TrueBot malware, which is associated with cybercrime groups Silence and FIN11, was used to siphon data and spread ransomware, compromising the security of many compromised networks.
Cyber criminals gained their initial foothold by exploiting the cited vulnerabilities, then proceeded to install TrueBot. After they penetrate the network, they install the FlawedGrace Remote Access Trojan (RAT) to increase their privileges, build persistence on the compromised system, and perform additional operations.
“During FlawedGrace’s execution phase, the RAT stores its encrypted payload in the registry. The tool can create scheduled tasks and inject the payload into msiexec(.)exe and svchost(.)exe, which are command processes that allow FlawedGrace to create command and control (C2) connection to 92.118.36(.)199, for example, as well as loading a dynamic link library (DLL) to resolve privilege escalation,” advisor say.
Cybercriminals initiate Cobalt Strike flares within hours of the first intrusion. These beacons facilitate post-exploit tasks, including stealing data and installing ransomware or other malware payloads.
While previous versions of TrueBot malware were usually spread via malicious email attachments, the updated version exploits the CVE-2022-31199 vulnerability to gain early access.
This strategic shift allows cyber threat actors to carry out attacks on a wider scale in compromised environments. Importantly, the Netwrix Auditor software is used by more than 13,000 organizations around the world, including well-known companies such as Airbus, Allianz, UK NHS and Virgin.
The advisor did not provide specific information about victims or the number of organizations affected by the TrueBot attack.
The report also highlights the participation of Raspberry Robin malware in this TrueBot attack, as well as other post-compromise malware such as IcedID and Bumblebee. By leveraging Raspberry Robin as a distribution platform, attackers can reach more potential victims and amplify the impact of their malicious activities.
🔐 Privileged Access Management: Learn How to Beat Key Challenges
Discover different approaches to conquering Privileged Account Management (PAM) challenges and enhance your privileged access security strategy.
Given that Silence and TA505 groups are actively infiltrating networks for monetary gain, it is important for organizations to implement the suggested security measures.
To protect against TrueBot malware and similar threats, organizations should consider the following recommendations:
- Install updates: Organizations using Netwrix Auditor should install the necessary updates to mitigate the CVE-2022-31199 vulnerability and update their software to version 10.5 or higher.
- Improve security protocols: Implement multi-factor authentication (MFA) for all employees and services.
- Watch for signs of infiltration (IOC): The security team should actively check their network for any indication of TrueBot contamination. Shared warnings provide guidance to help find and mitigate the impact of malware.
- Report any incidents: If an organization detects an IOC or suspects a TrueBot intrusion, they must act quickly according to the incident response actions listed in the alert and report the incident to CISA or the FBI.