Is TrueBot Malware a threat to US and Canadian firms?

Nettology - Importance of ‘Secure by Design’ in Cybersecurity?

In the ever-evolving landscape of cybersecurity threats, vigilance is paramount. Cybersecurity agencies report that businesses in the U.S. and Canada face a higher risk from new versions of the TrueBot malware. This malware poses a significant risk, as it seeks to extract confidential data from infiltrated systems. In this blog, we’ll delve into the details of this evolving threat and provide crucial recommendations to safeguard your organization.

TrueBot: A Persistent Threat

The TrueBot malware has evolved into a sophisticated menace, closely associated with notorious cybercriminal collectives Silence and FIN11. These malicious actors have set their sights on infiltrating networks in the United States and Canada. Their modus operandi involves exploiting a critical vulnerability (CVE-2022-31199) within the widely used Netwrix Auditor server and its associated agents.

This vulnerability allows unauthorized attackers to run harmful code. They can do this with the highest level of access. As a result, they gain complete control over compromised systems. Once the cybercriminals breach the network, they proceed to install the TrueBot malware.

Flawed Grace RAT: The Next Phase

TrueBot’s intrusions don’t stop there. The attackers escalate their privileges by installing the FlawedGrace Remote Access Trojan (RAT). This tool is sneaky and remains on hacked systems.

It saves hidden files in the registry and can perform tasks and add files to important processes. Additionally, it helps establish a connection for controlling commands. It helps create a connection for controlling commands.

Cobalt Strike Beacons: The Final Blow

Within hours of the initial intrusion, the cybercriminals initiate Cobalt Strike beacons. These beacons facilitate post-exploitation tasks, including data theft, ransomware deployment, or the installation of different malware payloads. This strategic shift in their attack methodology allows them to conduct broader and more devastating attacks within infiltrated environments.

A Broader Attack Surface

New TrueBot versions use a vulnerability called CVE-2022-31199 to get in, instead of sending harmful email attachments like before. The change in strategy has significant impacts. This is because more than 13,000 organizations worldwide use the Netwrix Auditor software. These organizations include well-known companies such as Airbus, Allianz, the UK NHS, and Virgin.

The Role of Raspberry Robin and Post-Compromise Malware

The report discusses the Raspberry Robin malware in TrueBot attacks. It also mentions other post-compromise malware like IcedID and Bumblebee. Attackers can use Raspberry Robin to reach more victims and make their malicious activities have a bigger impact.

Protecting Your Organization

Organizations need to take immediate action to protect against TrueBot malware and similar threats. This is because there is an active threat from Silence and TA505 groups who are seeking monetary gain. Here are crucial recommendations to bolster your cybersecurity defenses:

  1. Install Updates: Organizations using Netwrix Auditor must promptly install the necessary updates to mitigate the CVE-2022-31199 vulnerability. Make sure you update your software to version 10.5 or above to patch this critical security flaw.
  2. Enhance Security Protocols: Deploy multi-factor authentication (MFA) for all employees and services. MFA provides an additional layer of protection, making it significantly harder for cybercriminals to gain unauthorized access.
  3. Vigilance for Indicators of Compromise (IOCs): Security teams should proactively scrutinize their networks for signs of TrueBot contamination. The joint warning provides guidelines to help identify and mitigate the malware’s impact.
  4. Swift Incident Reporting: If your organization detects IOCs or suspects a TrueBot infiltration, it is imperative to act swiftly. Follow the steps in the warning and report the incident to CISA or the FBI.

In the ever-evolving cat-and-mouse game of cybersecurity, staying informed and proactive is your best defense. Follow these suggestions to protect your organization from threats and keep your sensitive data safe. Stay alert and act to prevent unauthorized access.

Ready to discuss your Cybersecurity? Nettology is here to help — schedule a consultation with one of our IT experts!

Popular links on our website:

Fill out the form for a
Free Consultation!

(Generic) Contact Form