CISA: Truebot malware infecting networks in U.S., Canada

Multiple threat actor groups are using new Truebot malware variants in attacks against organizations in the U.S. and Canada, according to a joint CISA advisory published Thursday.

The advisory was published by the U.S. cyber agency as well as the FBI, the Canadian Centre for Cyber Security, and the Multi-State Information Sharing and Analysis Center. Published as a blog to CISA's website, the advisory concerns Truebot, a botnet malware first identified in 2017.

According to the advisory, previous Truebot variants were delivered by threat actors via malicious attachments in phishing emails. But newer versions of the malware can also gain access to victim networks by exploiting a remote code execution flaw, CVE-2022-31199, in the Netwrix Auditor application.

While improved versions of Truebot aren't strictly new (Cisco Talos covered the botnet in a blog post this past December), CISA's advisory covers an emerging campaign from multiple adversaries.

"As recently as May 31, 2023, the authoring organizations have observed an increase in cyber threat actors using new malware variants of Truebot (also known as Silence.Downloader)," the advisory read. "Based on confirmation from open-source reporting and analytical findings of Truebot variants, the authoring organizations assess cyber threat actors are leveraging both phishing campaigns with malicious redirect hyperlinks and CVE-2022-31199 to deliver new Truebot malware variants."

The advisory contains a list of malware and tools used alongside the botnet, which includes wormable malware called Raspberry Robin, a remote access tool called Flawed Grace, the penetration testing tool Cobalt Strike and a data exfiltration tool known as Teleport. A full technical breakdown, including indicators of compromise, is available in the advisory.

CISA did not detail ongoing campaigns or threat actors utilizing Truebot in recent campaigns, though the advisory mentioned that it "has been used by malicious cyber groups like CL0P Ransomware Gang."

Clop is a prolific ransomware group that recently claimed responsibility for a large number of attacks against customers of Progress Software's managed file transfer (MFT) product MoveIT Transfer. A threat actor Microsoft identified as "Lace Tempest," who is associated with Clop, used a zero-day vulnerability in MoveIT Transfer to access customers' MFT instances, exfiltrate confidential data and extort the owners. More than 200 have been affected by the attacks, and victims include private organizations in the U.K. as well as U.S. state governments and federal agencies.

TechTarget Editorial asked CISA whether Truebot was utilized in Clop's campaign against MoveIt customers, but the agency did not respond at press time.

The advisory recommended organizations scan for malicious activity using guidance outlined within as well as applying relevant vendor patches to Netwrix Auditor.

"Any organization identifying indicators of compromise (IOCs) within their environment should urgently apply the incident responses and mitigation measures detailed in this [cybersecurity advisory] and report the intrusion to CISA or the FBI," it read.

Alexander Culafi is a writer, journalist and podcaster based in Boston.