Cybersecurity researchers at VMware have reported a surge in Truebot bootloader activity in May 2023. According to their report, the attack chain begins with users being lured into downloading a malicious software disguised as an update, “update.exe”, from Google Chrome.
Once the update.exe is launched, it connects with the Truebot IP address located in Russia to obtain the second stage executable file, “3ujwy2rz7v.exe”. The uploaded executable file then connects with the C2 server and extracts confidential information from the host, along with listing processes and systems.
Moreover, Truebot’s main function is to collect information from the host and expand the useful loads of the next stage, such as Cobalt Strike, Trojan Flawedgrace, and an unknown utility for data exploration. TelePort, a tool used by Truebot, limits the download speed and file size, making data transfer almost undetectable, and can erase any traces of its presence from the host.
With this in mind, users should be cautious about downloading anything suspicious, especially updates from unverified sources. It is vital to keep your systems up to date and run regular security scans to ensure that your system is not infected with any malware or viruses.
Sources:
VMware: https://blogs.vmware.com/security/2023/06/carbon-blacks-truebot-detection.html
Update.exe: https://www.virustotal.com/gui/file/fe746402c74ac329231B5DFA8229B509F4C15A0F5614F1579040/Detecation