Researchers have seen an increase in TrueBot infections, where threat actors have shifted from BEC to other techniques.
Two different Truebot botnets were traced, one is distributed worldwide, with a particular focus on Mexico, Pakistan, and Brazil, and the second one is focused on the US.
In the recent campaign, the delivery methods used include the exploitation of a now-patched vulnerability (CVE-2022-31199) in Netwrix Auditor, an IT asset management tool, and the Raspberry Robin worm.
The attack took place only a few weeks after the vulnerability was publicly disclosed, a circumstance that suggests threat actors quickly test new attack vectors.
Truebot, active since 2017 is a downloader malware, it is used to infect systems, collect information on the targets, and deploy additional malicious payloads. Gathered data are sent back to the attacker’s C2.
The set of commands to exfiltrate stolen data through a previously unknown custom tool dubbed Teleport. The analysis of the commands issued via Teleport reveals that the tool is used by the attackers to collect files from OneDrive and Downloads folders, and from the victim’s Outlook email messages.
Multiple occurrences of Raspberry Robin delivering Truebot. The researchers investigated an attack leveraging Truebot to deliver the Clop ransomware.
The primary function of TrueBot is to collect information from the host and deploy next-stage payloads such as Cobalt Strike, FlawedGrace, and Teleport. This is followed by the execution of the ransomware binary after harvesting relevant information.
Indicators Of Compromise