The Hacker NewsTHN:1C06A35454674AE90B06BDE7D57B0B42Alarming Surge in TrueBot Activity Revealed with New Delivery Vectors
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.003 Low
EPSS
Percentile
62.0%
A surge in TrueBot activity was observed in May 2023, cybersecurity researchers disclosed.
“TrueBot is a downloader trojan botnet that uses command and control servers to collect information on compromised systems and uses that compromised system as a launching point for further attacks,” VMware’s Fae Carlisle said.
Active since at least 2017, TrueBot is linked to a group known as Silence that’s believed to share overlaps with the notorious Russian cybercrime actor known as Evil Corp.
Recent TrueBot infections have leveraged a critical flaw in Netwrix Auditor (CVE-2022-31199, CVSS score: 9.8) as well as Raspberry Robin as delivery vectors.
The attack chain documented by VMware, on the other hand, starts off with a drive-by-download of an executable named “update.exe” from Google Chrome, suggesting that users are lured into downloading the malware under the pretext of a software update.
Once run, update.exe establishes connections with a known TrueBot IP address located in Russia to retrieve a second-stage executable (“3ujwy2rz7v.exe”) that’s subsequently launched using Windows Command Prompt.
The executable, for its part, connects to a command-and-control (C2) domain and exfiltrates sensitive information from the host. It’s also capable of process and system enumeration.
UPCOMING WEBINAR
[🔐 PAM Security – Expert Solutions to Secure Your Sensitive Accounts
](<https://thn.news/pam-webinar>)
This expert-led webinar will equip you with the knowledge and strategies you need to transform your privileged access security strategy.
“TrueBot can be a particularly nasty infection for any network,” Carlisle said. “When an organization is infected with this malware, it can quickly escalate to become a bigger infection, similar to how ransomware spreads throughout a network.”
The findings come as SonicWall detailed a new variant of another downloader malware known as GuLoader (aka CloudEyE) that’s used to deliver a wide range of malware such as Agent Tesla, Azorult, and Remcos.
“In the latest variant of GuLoader, it introduces new ways to raise exceptions that hamper complete analysis process and its execution under controlled environment,” SonicWall said.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.003 Low
EPSS
Percentile
62.0%