Recent alerts from cybersecurity agencies have highlighted a surge in variants of TrueBot malware, which are now actively targeting businesses in the United States and Canada. This sophisticated malware aims to infiltrate networks and extract sensitive information from compromised systems, posing a significant data breach risk.
TrueBot exploits a critical vulnerability, identified as CVE-2022-31199, found in the popular Netwrix Auditor software and its associated agents. This vulnerability allows unauthorized users to execute harmful code at the SYSTEM level, granting them complete control over the affected systems.
Linked with cybercriminal groups such as Silence and FIN11, TrueBot facilitates not only data theft but also the deployment of ransomware. Its attacks compromise networks by first exploiting the identified vulnerability, followed by installing the FlawedGrace Remote Access Trojan (RAT). This RAT further escalates the attackers’ privileges and establishes persistence within compromised systems to enable continued operations.
The CISA advisory specifies that FlawedGrace operates by storing encrypted payloads in the registry and utilizing scheduled tasks to ensure long-term access. Additionally, it can inject malicious payloads into key system processes like msiexec[.]exe and svchost[.]exe, creating pathways for command and control connections, which are crucial for executing the attackers’ objectives.
Notably, the threat landscape associated with TrueBot has evolved. Whereas earlier versions primarily spread via malicious email attachments, the newer iterations take advantage of the CVE-2022-31199 vulnerability as an entry point, facilitating larger-scale attacks within targeted environments. The popularity of Netwrix Auditor, which serves over 13,000 organizations globally, heightens the level of exposure as many of these firms include high-profile entities like Airbus and the NHS.
The advisory does not disclose specific organizational targets or the extent of the impact from TrueBot’s activities. However, it underscores the significant role of related malware, such as Raspberry Robin, in aiding these attacks and highlights the use of additional post-compromise malware like IcedID and Bumblebee. By employing Raspberry Robin as a distribution mechanism, attackers can broaden their reach to potential victims.
The tactics observed in these attacks fall within the MITRE ATT&CK framework, particularly focusing on initial access through exploitation, privilege escalation via tools like FlawedGrace, and establishing persistence in compromised networks. For organizations, understanding these tactics and techniques is critical for enhancing cybersecurity defenses.
Given the financial motivations driving groups such as Silence and TA505, it is imperative for organizations to adopt comprehensive security measures. To counter the threats posed by TrueBot and similar malware, businesses should promptly update their Netwrix Auditor installations to mitigate the identified vulnerabilities, implement multi-factor authentication across their systems, and maintain vigilance for any indicators of compromise. Immediate reporting of detected IOCs to CISA or the FBI is also crucial for effective incident response.
