New TrueBot malware variant attacks U.S. organizations
A new variant of the TrueBot malware has been used in attacks against organizations in the United States and Canada.
The malware is delivered via a remote code execution (RCE) vulnerability in the Netwrix Auditor software, tracked as CVE-2022-31199. Once the malware is installed, it gathers information on the compromised system and uses it to carry out other malicious activities, such as delivering additional malware or stealing data.
Once the Truebot malware is executed on a system, it performs various actions to identify and exploit vulnerabilities. It checks the system’s Operating System (OS) version and processor architecture, creating a unique identification for the compromised system. This information is stored as a randomly named 13-character file with a .JSONIP extension in the C:\ProgramData directory.
Furthermore, the malware enumerates all running processes on the system, excluding a predefined list of common Windows processes. The remaining process names are concatenated into a base64 encoded string, enabling the attackers to carry out their malicious activities discreetly. Hours after the initial infection, Truebot has been observed injecting Cobalt Strike beacons into memory. The beacons remain in a dormant mode for the first few hours prior to initiating additional operations.
A joint report published by Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Canadian Centre for Cyber Security (CCCS) recommends that organizations hunt for the malicious activity using the guidance outlined in the CSA, as well as applying vendor patches to Netwrix Auditor (version 10.5).
The joint report also includes a comprehensive set of indicators of compromise (IOCs) and Yara rules that organizations can utilize to detect the presence of the Truebot malware. These resources will aid in identifying and neutralizing the threat, bolstering network security against this evolving menace.
The sources for this piece include an article in SecurityAffairs.