HQ/EMEAFind out how we can help your business
A joint advisory published by multiple law enforcement agencies, including the FBI and CISA, has shed light on the recent surge of Truebot malware activity.
The current advisory revealed that the threat operators are leveraging new Truebot malware variants to target numerous organisations in Canada and the United States. Moreover, the Truebot operators employed new tactics, techniques, and procedures (TTPs).
According to cybersecurity experts, Clop and Silence cybercriminal groups are the primary abusers of the malware. The actors utilised Truebot to harvest and exfiltrate data from numerous victims.
The Truebot cybercriminal activities started to surge in the latter part of May this year.
According to the recently published advisory, the Truebot malware attacks have increased significantly after May 31. Threat analysis also revealed that the newer malware versions had exploited a remote code execution flaw in the Netwrix Auditor to acquire initial access to their targeted systems.
The vulnerability is CVE-2022-31199, an unlikely vector since the actors commonly distribute the malware through phishing emails. The Netwrix’s site claimed that over 13,000 organisations across more than 100 countries use the software, which increases the chances of such attacks.
These discoveries came from researchers that warned about Truebot’s activity after disclosing Netwrix Auditor vulnerability. December last year, researchers said that they identified a small number of incidents where Truebot has been exploiting the flaw.
The DEV-0950 threat group also started utilising the Raspberry Robin malware to spread Truebot and Cl0p ransomware onto infected systems in Pakistan, Brazil, and Mexico.
This latest advisory says that the main objective of the malware is to steal data from victims’ systems for financial gain since Truebot’s nature is purely financially motivated.
The agencies that posted the advisory have published details on detecting the malware and mitigating its effects. However, they have yet to identify how many victims suffered the wrath of the Truebot malware.
Users should apply the update for the Netwrix Auditor vulnerability since it is the primary vector of the malware for propagation. Organisations should use IOCs to discover signs of malicious activity that arrive at a Truebot infection.
