TrueBot malware used by Clop ransomware to gain network access

Share post:

Cisco Talos, a cybersecurity research firm, has reported an increase in TrueBot infections, primarily targeting Mexico, Brazil, Pakistan, and the United States.

Recent attacks made use of a now-patched vulnerability (CVE-2022-31199) in Netwrix Auditor, an IT asset management tool, as well as the Raspberry Robin worm.

The experts emphasized that the attacks occurred only a few weeks after the vulnerability was publicly disclosed, implying that threat actors rapidly test new attack vectors. The researchers believe, with moderate confidence, that threat actors began using yet another distribution technique in November.

According to Cisco Talos, the Truebot gang used Raspberry Robin to infect over 1,000 hosts, many of which were desktop computers not accessible via the public internet, primarily in Mexico, Brazil, and Pakistan.

The hackers targeted Windows servers in November, exposing SMB, RDP, and WinRM services to the public internet. The researchers counted over 500 infections, with roughly 75% of them occurring in the United States.

TrueBot’s primary function is to gather data from the host and deploy next-stage payloads such as Cobalt Strike, FlawedGrace, and Teleport. Following the harvesting of relevant information, the ransomware binary is executed. The Teleport data exfiltration tool is also notable for its ability to restrict upload speeds and file sizes, allowing transmissions to pass unnoticed by monitoring software. Furthermore, it has the ability to remove its own presence from the machine.

The sources for this piece include an article in BleepingComputer.

SUBSCRIBE NOW

Related articles

North Korean Job Scam Targeting IT Job Seekers

North Korea’s Lazarus advanced persistent threat (APT) group has launched a sophisticated campaign, “Operation 99,” targeting freelance software...

Hackers Exploit FastHTTP in High-Speed Microsoft 365 Attacks

Threat actors are employing the FastHTTP Go library to launch high-speed brute-force password attacks on Microsoft 365 accounts...

YouTubers Targeted As Cyberattackers Hide Infostealers in YouTube Comments, Google Search Results

Attackers have found a new way to infect people seeking pirated or cracked software: planting malicious download links...

New macOS Malware Exploits Apple’s Security Features to Stay Hidden and Steal User Data

A newly discovered variant of the Banshee macOS Stealer malware is putting 100 million Apple users at risk...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways