The CISA, FBI, MS-ISAC, and CCCS have released a joint cybersecurity advisory regarding cyber threat actors leveraging newly identified Truebot malware variants against organizations in the United States and Canada. These attacks are exploiting a critical remote code execution (RCE) vulnerability, tracked as CVE-2022-31199 (CVSSv3 score: 9.8 – Critical), in the Netwrix Auditor software to deliver Truebot. Threat actors are leveraging this flaw to gain initial access and move laterally within the compromised network.
Truebot is a botnet that is linked to the Russian-speaking Silence cybercrime group and used by TA505 hackers (associated with the FIN11 group) to deploy Clop ransomware on compromised networks since December 2022. Previous malware variants of Truebot were primarily delivered by cyber threat actors via malicious phishing email attachments. However, recent versions allow them to also gain initial access through exploiting CVE-2022-31199, enabling deployment of the malware at scale within the compromised environment. Based on the nature of observed Truebot operations, the main goal of the adversaries is to steal sensitive information from compromised systems for financial gain.
The malware has also been used alongside other malware in attacks. In several incidents, shortly after Truebot was executed, the Cobalt Strike tool was deployed for persistence and data exfiltration purposes. In addition, some phishing campaigns consisted of the FlawedGrace RAT being deployed only minutes after the Truebot malware was executed. Researchers have also found Truebot attacks leveraging a custom data exfiltration tool called “Teleport” that was used to steal information.
When an organization is infected with Truebot, it can quickly escalate to become a bigger infection, similarly to how ransomware spreads throughout a network. The change in delivery vector shows that attacks leveraging the malware are continuing to evolve.
CVE-2022-3199 Delivery Method for Truebot
SecurIT360 SOC Managed Services
If you utilize our SOC Managed Services, here are the actions we are taking to help detect this activity:
MDR Services
- We utilize several threat feeds that are updated frequently on a daily basis.
- In addition to our automatic threat feeds, we have added known indicators of compromise related to this threat into our MDR solution, FortiSIEM.
EDR Services
- In addition to ongoing vendor IoC updates, we have added known indicators of compromise related to this threat into our EDR solutions to help with detection.
Indicators are provided in the Indicators of Compromise section below for your reference.
As always, if we detect activity related to these exploits, we will alert you when applicable.
Please feel free to contact the SOC via email (soc@securit360.com) or telephone (844-474-1244) if you have any questions or concerns.
Mitigations
- All Netwrix Auditor customers are advised to upgrade to version 10.5.10977.0 and ensure that no Netwrix Auditor systems are exposed to the internet.
- CISA has posted guidelines and recommends organizations to mandate MFA for all staff and services.
MITRE Summary
Technique Title | ID | Use |
Initial Access | ||
Replication Through Removable Media | Cyber threat actors use removable media drives to deploy Raspberry Robin malware. | |
Drive-by Compromise | Cyber threat actors embed malicious links or attachments within web domains to gain initial access. | |
Exploit Public-Facing Application | Cyber threat actors are exploiting Netwrix vulnerability CVE-2022-31199 for initial access with follow-on capabilities of lateral movement through remote code execution. | |
Phishing | Truebot actors can send spear phishing links to gain initial access. | |
Execution | ||
Command and Scripting Interpreter | Cyber threat actors have been observed dropping cobalt strike beacons as a reverse shell proxy to create persistence within the compromised network. Cyber threat actors use FlawedGrace to receive PowerShell commands over a C2 channel to deploy additional tools. | |
Shared Modules | Cyber threat actors can deploy malicious payloads through obfuscated share modules. | |
User Execution: Malicious Link | Cyber threat actors trick users into clicking a link by making them believe they need to perform a Google Chrome software update. | |
Persistence | ||
Hijack Execution Flow: DLL Side-Loading | Cyber threat actors use Raspberry Robin, among other toolsets to side-load DLLs to maintain persistence. | |
Privilege Escalation | ||
Boot or Logon Autostart Execution: Print Processors | FlawedGrace malware manipulates print spooler functions to achieve privilege escalation. | |
Defense Evasion | ||
Obfuscated Files or Information | Truebot uses a .JSONIP extension (e.g., IgtyXEQuCEvAM.JSONIP), to create a GUID. | |
Obfuscated Files or Information: Binary Padding | Cyber threat actors embed around one gigabyte of junk code within the malware string to evade detection protocols. | |
Masquerading: Masquerade File Type | Cyber threat actors hide Truebot malware as legitimate appearing file formats. | |
Process Injection | Truebot malware has the ability to load shell code after establishing a C2 connection. | |
Indicator Removal: File Deletion | Truebot malware implements self-deletion TTPs throughout its attack cycle to evade detection. Teleport exfiltration tool deletes itself after it has completed exfiltrating data to the C2 station. | |
Modify Registry | FlawedGrace is able to modify registry programs that control the order that documents are loaded to a print que. | |
Reflective Code Loading | Truebot malware has the capability to load shell code and deploy various tools to stealthily navigate an infected network. | |
Credential Access | ||
OS Credential Dumping: LSASS Memory | Cyber threat actors use cobalt strike to gain valid credentials through LSASS memory dumping. | |
Discovery | ||
System Network Configuration Discovery | Truebot malware scans and enumerates the affected system’s domain names. | |
Process Discovery | Truebot malware enumerates all running processes on the local host. | |
System Information Discovery | Truebot malware scans and enumerates the OS version information, and processor architecture. Truebot malware enumerates the affected system’s computer names. | |
System Time Discovery | Truebot has the ability to discover system time metrics, which aids in enables synchronization with the compromised system’s internal clock to facilitate scheduling tasks. | |
Software Discovery: Security Software Discovery | Truebot has the ability to discover software security protocols, which aids in defense evasion. | |
Debugger Evasion | Truebot malware scans the compromised environment for debugger tools and enumerates them in effort to evade network defenses. | |
Lateral Movement | ||
Exploitation of Remote Services | Cyber threat actors exploit CVE-2022-31199 Netwrix Auditor vulnerability and use its capabilities to move laterally within a compromised network. | |
Use Alternate Authentication Material: Pass the Hash | Cyber threat actors use cobalt strike to authenticate valid accounts | |
Remote Service Session Hijacking | Cyber threat actors use cobalt strike to hijack remote sessions using SSH and RDP hijacking methods. | |
Remote Service Session Hijacking: RDP Hijacking | Cyber threat actors use cobalt strike to hijack remote sessions using SSH and RDP hijacking methods. | |
Lateral Tool Transfer | Cyber threat actors deploy additional payloads to transfer toolsets and move laterally. | |
Collection | ||
Data from Local System | Truebot malware checks the current version of the OS and the processor architecture and compiles the information it receives. | |
Screen Capture | Truebot malware takes snapshots of local host data, specifically processor architecture data, and sends that to a phase 2 encoded data string. Truebot gathers and compiles compromised system’s host and domain names. | |
Command and Control | ||
Application Layer Protocol | Cyber threat actors use teleport exfiltration tool to blend exfiltrated data with network traffic. | |
Non-Application Protocol | Cyber threat actors use Teleport and FlawedGrace to send data over custom communication protocol. | |
Ingress Transfer Tool | Cyber threat actors deploy various ingress transfer tool payloads to move laterally and establish C2 connections. | |
Encrypted Channel: Asymmetric Cryptography | Cyber threat actors use Teleport to create an encrypted channel using AES. | |
Exfiltration | ||
Scheduled Transfer | Teleport limits the data it collects and syncs with outbound organizational data/network traffic. | |
Data Transfer Size Limits | Teleport limits the data it collects and syncs with outbound organizational data/network traffic. | |
Exfiltration Over C2 Channel | Cyber threat actors blend exfiltrated data with network traffic to evade detection. Cyber threat actors use the Teleport tool to exfiltrate data over a C2 protocol. |
Indicators of Compromise
Resources & Related Articles
- Increased Truebot Activity Infects U.S. and Canada Based Networks | CISA
- CISA Warns of Spike in TrueBot Malware Attacks
- Carbon Black’s TrueBot Detection
- CISA: Netwrix Auditor RCE bug exploited in Truebot malware attacks
- CISA: Truebot malware infecting networks in U.S., Canada | TechTarget
