The Canadian Centre for Cyber Security (CCCS) and the Multi-State Information Sharing and Analysis Center have warned about newly identified TrueBot malware variants used against organizations in the US and Canada.
The impact of a Truebot attack can be severe and varied, involving the theft of sensitive data such as personally identifiable information (PII), financial records, or intellectual property. Truebot may also deploy additional malware payloads, such as ransomware, to encrypt critical files and extort payment from the targeted organization.
CISA and its partners have released a joint cybersecurity advisory on Truebot malware variants that explains how Truebot has been observed in association with Raspberry Robin and how cybercriminals can gain initial access, as well as the ability to move laterally within the compromised network.
SalvageData experts recommend proactive data security measures, such as regular backups, strong cybersecurity practices, and keeping software up to date, to protect against malware attacks. And, in case of a malware attack, contact our malware recovery experts immediately.
Truebot can be identified as both a botnet malware and a Trojan.Downloader. It has been used by malicious cyber groups like Cl0p Ransomware Gang to collect and exfiltrate information from its target victims.
It is capable of downloading and executing additional payloads, making it an ideal malware for IAB groups that want to plant a backdoor on a system and do some basic reconnaissance of the network. The Truebot malware scans the compromised environment for debugger tools and enumerates them to evade network defenses. To maintain its stealth, the malware limits the data it collects and syncs with outbound organizational data/network traffic.
A botnet is a network of internet-connected devices, such as computers, servers, mobile devices, and Internet of Things (IoT) devices, that are infected and controlled by malware. The malware infects the devices and creates a bot, which is controlled remotely by the attacker or bot-herder.
The botnet malware typically looks for devices with vulnerable endpoints across the internet, rather than targeting specific individuals, companies, or industries.
The objective of creating a botnet is to infect as many connected devices as possible and to use the large-scale computing power and functionality of those devices for automated tasks that generally remain hidden from the users of the devices.
Trojan.Downloader is a type of Trojan malware that downloads and installs other malicious software or files onto a victim’s device without their knowledge or consent.
Trojan downloaders can be disguised as legitimate or useful software, such as a software update or a game, and are often distributed as part of the payload of another harmful program, such as a trojan-dropper. They can also be distributed as disguised files attached to spam emails, using a legitimate-sounding program or document names, such as ‘invoice’ or ‘accounts.exe’, as a simple form of social engineering.
Confirmed Name
Threat Type
Payload
Distribution methods
Consequences
Malware, like ransomware, uses several tactics to infect machines and systems, most of them by exploiting vulnerabilities. These include not patched software and weak passwords.
The attackers use social engineering tactics to manipulate people into sharing information they shouldn’t share, downloading software they shouldn’t download, visiting websites they shouldn’t visit, sending money to criminals, or making other mistakes that compromise their personal or organizational security.
Truebot malware historically relied on phishing emails as the primary delivery method, tricking recipients into clicking malicious hyperlinks or concealing malware as software update notifications.
Truebot malware is actively exploiting CVE-2022-31199, a remote code execution vulnerability in the Netwrix Auditor User Activity Video Recording component that allows an unauthenticated remote attacker to execute arbitrary code as the NT AUTHORITY\SYSTEM user on affected systems, including on systems Netwrix Auditor monitors. The attackers use this vulnerability to deliver new Truebot malware variants and to collect and exfiltrate information from organizations in the U.S. and Canada.
Malvertising is the use of online advertising, that appears to be legit, to spread malware. Exploit kits are pre-packaged software that can be used to exploit vulnerabilities in a system.
Attackers can infect pirated software with malware and distribute it through torrent sites or other file-sharing platforms.
Truebot malware is a sophisticated malware that uses various methods to infect systems and networks. The primary objective of a Truebot infection is to exfiltrate sensitive data from the compromised host(s) for financial gain.
During the first stage of Truebot’s execution process, it checks the current version of the operating system (OS) with RtlGetVersion and processor architecture using GetNativeSystemInfo.
During FlawedGrace’s execution phase, the RAT stores encrypted payloads within the registry. The tool can create scheduled tasks and inject payloads into msiexec.exe and svchost.exe, which are command processes that enable FlawedGrace to establish a command and control (C2) connection to a remote server, as well as load dynamic link libraries (DLLs) to accomplish privilege escalation. Several hours post initial access, Truebot has been observed injecting Cobalt Strike beacons into memory in a dormant mode for the first few hours before initiating additional operations.
Following the initial checks for system information, Truebot can enumerate all running processes, collect sensitive local host data, and send this data to an encoded data string described below for second-stage execution.
Based on IOCs, Truebot also can discover software security protocols and system time metrics, which aids in defense evasion, as well as enables synchronization with the compromised system’s internal clock to facilitate scheduling tasks.
Truebot developers employ sophisticated techniques to evade detection by traditional security solutions. They utilize various methods to disguise the malware within legitimate file formats, making it harder for security systems to identify and block.
Additionally, Truebot employs encoding and encryption methods to obfuscate its activities, making it more difficult for security analysts to analyze and detect its malicious activities.
Truebot established a connection using a newly generated globally unique identifier (GUID), and a second obfuscated domain to receive additional payloads, self-replicate across the environment, and/or delete files used in its operations.
Truebot malware can download additional malicious modules, load shell code, and deploy various tools to stealthily navigate an infected network.
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory warning that multiple threat actor groups are using new Truebot malware variants in attacks against organizations in the US and Canada. The advisory contains indicators of compromise (IOCs) that organizations can use to identify Truebot activity within their environment. Organizations that identify IOCs within their environment should urgently apply the incident responses and mitigation measures detailed in the advisory and report the intrusion to CISA or the FBI.
Some of the IOCs companies should watch for are:
The first step to recovering from a Truebot attack is to isolate the infected computer by disconnecting it from the internet and removing any connected device. Then, you must contact local authorities. In the case of US residents and businesses, it is the FBI and the Internet Crime Complaint Centre (IC3).
To report a malware attack you must gather every information you can about it, including:
However, if you prefer to contact professionals, then do nothing. Leave every infected machine the way it is and ask for an emergency ransomware removal service. Restarting or shutting down the system may compromise the recovery service. Capturing the RAM of a live system may help get the encryption key, and catching a dropper file, i.e. file executing the malicious payload, might be reverse-engineered and lead to decryption of the data or understanding how it operates.
You must not delete the malware, and keep every evidence of the attack. That’s important for digital forensics so experts can trace back to the hacker group and identify them. It is by using the data on your infected system that authorities can investigate the attack and find the responsible. A cyber attack investigation is not different from any other criminal investigation: it needs evidence to find the attackers.
A Cyber Incident Response is the process of responding to and managing a cybersecurity incident. An Incident Response Retainer is a service agreement with a cybersecurity provider that allows organizations to get external help with cybersecurity incidents. It provides organizations with a structured form of expertise and support through a security partner, enabling them to respond quickly and effectively during a cyber incident.
An incident response retainer offers peace of mind to organizations, offering expert support before and in the aftermath of a cybersecurity incident. An incident response retainer’s specific nature and structure will vary according to the provider and the organization’s requirements. A good incident response retainer should be robust but flexible, providing proven services to enhance an organization’s long-term security posture.
If you contact your IR service provider, they can take over immediately and guide you through every step in the ransomware recovery. However, if you decide to remove the malware yourself and recover the files with your IT team, then you can follow the next steps.
You can identify which malware infected your machine by using a ransomware ID tool.
You can also check the malware type by its IOCs. Indicators of Compromise (IOCs) are digital clues that cybersecurity professionals use to identify system compromises and malicious activities within a network or IT environment. They are essentially digital versions of evidence left at a crime scene, and potential IOCs include unusual network traffic, privileged user logins from foreign countries, strange DNS requests, system file changes, and more. When an IOC is detected, security teams evaluate possible threats or validate its authenticity. IOCs also provide evidence of what an attacker had access to if they did infiltrate the network.
Backups are the most efficient way to recover data. Make sure to keep daily or weekly backups, depending on your data usage.
If you don’t have a backup or need help removing the malware and eliminating vulnerabilities, contact a data recovery service. Paying the ransom does not guarantee your data will be returned to you. The only guaranteed way you can restore every file is if you have a backup. If you don’t, ransomware data recovery services can help you decrypt and recover the files.
SalvageData experts can safely restore your files and prevent Truebot malware from attacking your network again. Contact our experts 24/7 for ransomware recovery services.
Preventing malware is the best solution for data security. is easier and cheaper than recovering from them. Truebot malware can cost your business’s future and even close its doors.
These are a few tips to ensure you can avoid malware attacks:
In a recent data recovery service case, the SalvageData recovery team achieved a remarkable feat…
A corrupted database on PS4 occurs when the system's organized data collection becomes damaged or…
Encountering a black or blank screen on your Windows computer can be frustrating and alarming.…
LockBit ransomware has emerged as one of the most dangerous and prolific cyber threats in…
Recovery mode is a crucial feature for troubleshooting and restoring an iPad when it encounters…
Whether you’re a professional juggling important work documents or an individual cherishing irreplaceable memories, safeguarding…