Rewterz Threat Alert – Authorities Raise Concerns Over Escalating TrueBot Malware Attacks – Active IOCs

Severity

High

Analysis Summary

Cybersecurity agencies have issued warnings about the emergence of new variants of the TrueBot malware, which is targeting companies in the U.S. and Canada. This sophisticated threat leverages a critical vulnerability (CVE-2022-31199) found in the widely used Netwrix Auditor server and its associated agents. Exploiting this vulnerability grants unauthorized attackers the ability to execute malicious code with SYSTEM user privileges, providing them unrestricted access to compromised systems.

TrueBot malware, associated with cybercriminal collectives Silence and FIN11, aims to extract confidential data and distribute ransomware, posing a significant risk to infiltrated networks. The initial compromise occurs by exploiting the CVE-2022-31199 vulnerability, after which the TrueBot malware is installed. Once inside the network, the attackers escalate their privileges by deploying the FlawedGrace Remote Access Trojan (RAT). This RAT establishes persistence on compromised systems and facilitates additional operations.

During the execution phase of FlawedGrace, the RAT stores encrypted payloads in the registry and creates scheduled tasks to inject payloads into processes such as msiexec[.]exe and svchost[.]exe. This enables FlawedGrace to establish a command and control (C2) connection to a specific IP address and load dynamic link libraries (DLLs) to escalate privileges further.

Following the initial intrusion, the attackers initiate Cobalt Strike beacons within hours. These beacons enable post-exploitation tasks, including data theft and the installation of ransomware or other malware payloads.

In contrast to previous versions, the updated variants of the TrueBot malware utilize the CVE-2022-31199 vulnerability for initial access, allowing for broader attacks within infiltrated environments. Notably, the Netwrix Auditor software is employed by over 13,000 organizations globally, including prominent entities like Airbus, Allianz, the UK NHS, and Virgin.

The TrueBot attacks involve collaboration with the Raspberry Robin malware and other post-compromise malware such as IcedID and Bumblebee. The use of Raspberry Robin as a distribution platform enables the attackers to target a larger number of victims and amplify the impact of their malicious activities.

Specific information about the victims or the number of organizations affected by the TrueBot attacks was not disclosed. However, the participation of cybercriminal groups Silence and TA505 was emphasized, highlighting the importance of implementing robust security measures.

Organizations are advised to promptly install necessary updates to address the CVE-2022-31199 vulnerability in Netwrix Auditor and upgrade their software to version 10.5 or above. Enhancing security protocols, such as deploying multi-factor authentication (MFA), is essential. Maintaining vigilance for indicators of TrueBot contamination and promptly reporting any incidents to authorities are crucial steps in mitigating the impact of the malware.

By implementing these recommended measures, organizations can bolster their defenses against the TrueBot malware, safeguarding against data breaches, system compromise, and financial losses.

Impact

• Code execution
• Data Exfiltration
• Information Theft

Indicators of Compromise

Domain Name

• imsagentes.pe
• hrcbishtek.com
• essadonio.com
• ecorfan.org

IP

• 92.118.36.199
• 81.19.135.30
• 5.188.86.18
• 5.188.206.78
• 45.182.189.71
• 139.60.160.166

MD5

• 12011c44955fd6631113f68a99447515
• 6164e9d297d29aa8682971259da06848

SHA-256

• c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3
• 717beedcd2431785a0f59d194e47970e9544fbf398d462a305f6ad9a1b1100cb

SHA-1

• 4f4f8cf0f9b47d0ad95d159201fe7e72fbc8448d
• 96b95edc1a917912a3181d5105fd5bfad1344de0

URL

• https://imsagentes.pe/dgrjfj/
• https://hrcbishtek.com/{5
• https://ecorfan.org/base/sj/document_may_24_16654.exe

Remediation

• Upgrade to the latest version of Netwrix Auditor application, available from the Netwrix Web site.
• Block all threat indicators at your respective controls.
• Search for Indicator of compromise (IOCs) in your environment utilizing your respective security controls
• Implement robust network monitoring and intrusion detection systems to detect and respond to any malicious activity targeting the vulnerability.
• Restrict network access to the vulnerable system by employing network segmentation, firewalls, and access controls to limit exposure and potential exploitation.
• Educate users and system administrators about the existence and impact of the vulnerability, emphasizing the importance of promptly applying updates and following secure coding practices.
• Conduct regular security assessments, including vulnerability scans and penetration testing, to identify and address any potential security weaknesses in the infrastructure.
• Establish incident response procedures and ensure that the appropriate teams are trained and prepared to handle any potential security incidents or breaches related to the vulnerability.
• Engage with the vendor and security community to stay informed about any further developments or recommendations regarding the vulnerability and its remediation.