Analysis
Attacks and Vulnerabilities
CISA
Critical infrastructure
Malware, Phishing & Ransomware
News
Threat Landscape
Vulnerabilities

US, Canadian agencies warn organizations of newly identified Truebot malware variants

July 07, 2023
US, Canadian agencies warn organizations of newly identified Truebot malware variants

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Canadian Centre for Cyber Security (CCCS) published a joint Cybersecurity Advisory (CSA) warning of cyber hackers leveraging newly identified Truebot malware variants against organizations in the two countries. Truebot is a botnet that has been used by malicious cyber groups, like the CL0P ransomware gang, to collect and exfiltrate information from its target victims. 

“As recently as May 31, 2023, the authoring organizations have observed an increase in cyber threat actors using new malware variants of Truebot(also known as Silence[dot]Downloader),” the advisory issued Thursday identified. “Previous Truebot malware variants were primarily delivered by cyber threat actors via malicious phishing email attachments; however, newer versions allow cyber threat actors to also gain initial access through exploiting CVE-2022-31199—(a remote code execution vulnerability in the Netwrix Auditor application), enabling deployment of the malware at scale within the compromised environment.” 

Based on confirmation from open-source reporting and analytical findings of Truebot variants, the authoring organizations assess that cyber threat hackers are leveraging both phishing campaigns with malicious redirect hyperlinks and CVE-2022-31199 to deliver new Truebot malware variants. Additionally, as recently as May this year, cyber hackers used this common vulnerability and exposure to deliver new Truebot malware variants and to collect and exfiltrate information against organizations in the U.S. and Canada.

Truebot has been linked to various malicious vectors and tools, including Raspberry Robin (malware), Flawed Grace (malware), Cobalt Strike (tool), and Teleport (tool).

Raspberry Robin is a wormable malware with links to other malware families and various infection methods, including installation via USB drive, the advisory said. “Raspberry Robin has evolved into one of the largest malware distribution platforms and has been observed deploying Truebot, as well as other post-compromise payloads such as IcedID and Bumblebee malware. With the recent shift in Truebot delivery methods from malicious emails to the exploitation of CVE-2022-31199, a large number of Raspberry Robin infections have leveraged this exploitable CVE,” it added.

A remote access tool (RAT), FlawedGrace, can receive incoming commands from a C2 server sent over a custom binary protocol, using port 443 to deploy additional tools. Truebot malware has been observed leveraging (and dropping) FlawedGrace via phishing campaigns as an additional payload. 

Cobalt Strike is a popular RAT that cyber threat actors have leveraged—in an observable manner—for a variety of post-exploitation means. Typically a few hours after Truebot’s execution phase, cyber threat actors have been observed deploying additional payloads containing Cobalt Strike beacons for persistence and data exfiltration purposes. Cyber threat actors use Cobalt Strike to move laterally via remote service session hijacking, collecting valid credentials through LSASS (Local Security Authority Subsystem Service) memory credential dumping, or creating local admin accounts to achieve ‘pass the hash’ alternate authentication. LSASS enforces security policies in Microsoft Windows operating systems.

Hackers have been observed using a custom data exfiltration tool, which Talos has named ‘Teleport,’ which is known to evade detection during data exfiltration by using an encryption key hardcoded in the binary and a custom communication protocol that encrypts data using advanced encryption standard (AES) and a hardcoded key. Furthermore, to maintain its stealth, Teleport limits the data it collects and syncs with outbound organizational data/network traffic.

CISA, FBI, MS-ISAC, and the CCCS suggest the implementation of the recommended mitigations contained in the advisory, including applying patches to CVE-2022-31199, to reduce the likelihood and impact of Truebot activity, and other ransomware-related incidents.

The advisory calls upon organizations to reduce the threat of malicious hackers using remote access tools by implementing application controls to manage and control the execution of software, including allowlisting remote access programs. Application controls should prevent the installation and execution of portable versions of unauthorized remote access and other software. 

It also recommends strictly limiting the use of RDP (Remote Desktop Protocol) and other remote desktop services, disabling command-line and scripting activities and permissions; updating Windows PowerShell or PowerShell Core to the latest version, and uninstalling all earlier PowerShell versions; and enabling enhanced PowerShell logging. 

Organizations must also implement time-based access for accounts set at the admin level and higher; configure the Windows Registry to require User Account Control (UAC) approval; and review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts. It also calls for auditing user accounts with administrative privileges and configuring access controls according to the principle of least privilege (PoLP), and reducing the threat of credential compromise. 

In addition, CISA, FBI, MS-ISAC, and CCCS recommend network defenders apply the following mitigations to limit potential adversarial use of the common system and network discovery techniques and to reduce the impact and risk of compromise by ransomware or data extortion actors.

Last month, U.S. agencies disclosed in a CSA that the CL0P ransomware gang is reportedly exploiting a previously unknown structured query language (SQL) injection vulnerability (CVE-2023-34362) in Progress Software’s managed file transfer (MFT) solution known as MOVEit Transfer. Also known as TA505, the agencies have identified that, due to its speed and ease, the CL0P group has been able to exploit this vulnerability. Based on their past campaigns, the agencies expect to see widespread exploitation of unpatched software services in both private and public networks.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights