Warning issued over increased activity of TrueBot malware

In a joint advisory, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Canadian Centre for Cyber Security (CCCS) have warned about newly identified TrueBot malware variants used against organizations in the US and Canada.

As we reported in our May 2023 ransomware review, ransomware groups like Cl0p gain access to a network and then sneakily deploy TrueBot malware and a Cobalt Strike beacon to infiltrate and creep around, grabbing data along the way.

At its core, Truebot is a Trojan.Downloader. Besides gathering system information, it is capable of downloading and executing additional payloads. As such, it is an ideal malware for IAB groups that want to plant a backdoor on a system and do some basic reconnaissance of the network. For those purposes, recent versions of Truebot collect the following: A screenshot, the computer name, the local network name, and active directory trust relations. Active Directory trust relations allow organizations to share users and resources across domains.

Previous TrueBot malware variants were primarily delivered by cybercriminals via malicious phishing email attachments. Newer versions allow cyber threat actors to also gain initial access through exploiting CVE-2022-31199, a remote code execution vulnerability in the Netwrix Auditor application. This allows the attacker to deploy the malware at scale within the compromised environment. Through exploitation of this CVE, cybercriminals can gain initial access, as well as the ability to move laterally within the compromised network.

The advisory explains how TrueBot has been observed in association with:

• Raspberry Robin: a wormable malware with links to other malware families and various infection methods, including installation via USB drive.
• FlawedGrace: a remote access tool (RAT) that can receive incoming commands [T1059] from a C2 server, which is typically deployed minutes after TrueBot malware is executed.
• Cobalt Strike: a collection of threat emulation tools cybercriminals use for persistence and data exfiltration purposes.
• Teleport: a custom data exfiltration tool.

In a separate malware analysis report, interested parties can find a comprehensive analysis of a recently discovered TrueBot executable.

Malwarebytes blocks the download URLs and detects Truebot as Malware.AI.{id.nr.}. Cl0p ransomware is detected as Malware.Ransom.Agent.Generic. But obviously prevention is better than remediation. The Malwarebytes web protection module blocks the C2 servers mentioned in the Malware Analysis Report.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
• Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.