US and Canadian Authorities Warn of Increased Truebot Activity

Written by

A warning about increased Truebot malware activity involving new tactics, techniques and procedures (TTPs) has been issued by US and Canadian authorities on July 6 2023.

The joint advisory from the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC) and the Canadian Centre for Cyber Security (CCCS) noted that threat actors are leveraging newly identified Truebot malware variants to target organizations via new techniques in the US and Canada.

Truebot is known to be used by notorious cyber-criminal gangs such as Clop and Silence to collect and exfiltrate information from victims.

Read more about Clop extortion campaigns: Clop Starts MOVEit Extortion as New Bug is Discovered

The document observed that previous Truebot malware variants were primarily delivered via malicious phishing email attachments. However, the government agencies have recently noticed a shift in approach, with threat actors increasingly exploiting the CVE-2022-31199 vulnerability to leverage the botnet.

The remote code execution vulnerability is present in Netwrix Auditor, software used for on-premises and cloud-based IT system auditing. Exploiting this CVE allows attackers to gain initial access and move laterally within the compromised network.

The advisory went on to explain that once the malicious file is downloaded, Truebot renames itself and deploys FlawedGrace onto the host. This remote access tool (RAT) can then modify registry and print spooler programs, which allows it to escalate privilege and establish persistence.

The agencies added that Truebot has been observed in association with a number of other delivery malware vectors and tools, including Raspberry Robin and Colbalt Strike.

Organizations have been advised to take a number of steps to mitigate the increased threat from Truebot, including monitoring and controlling the execution of software and applying vendor patches to Netwrix Auditor.

“Any organization identifying indicators of compromise (IOCs) within their environment should urgently apply the incident responses and mitigation measures detailed in this CSA and report the intrusion to CISA or the FBI,” the advisory read.

What’s hot on Infosecurity Magazine?