Cybersecurity researchers Cisco Talos report about the increase in the number of infections of malicious in Truebot, B. Mostly in Mexico, Brazil, Pakistan and the USA.
During the attacks, cybercriminals operate the corrected RCE – vulnerability to Netwrix Auditor, and also use Raspberry Robin to deliver Truebot. Comprimation leads to theft of data and the launch of the Clop Clop.
Truebot is a malicious software for Windows attributed to the Silence group (according to Group -IB), which, presumably, has common connections with Evil Corp. The assumptions about the connection of groups are based on the fact that Evil Corp uses the Raspberry Robin worm to deploy dropper in compromised networks.
According to Cisco Talos, the Silence APT group carried out a series of attacks between mid-August to September 2022, exploiting the critical RCE-vascularity in Netwrix Auditor ( CVE-2022-31199 , CVSS: 9,8) for loading and launch Truebot.
The main function of Truebot is to collect information from the host and expand the useful loads of the next stage, such as Cobalt Strike, Trojan Flawedgrace and a previously unknown utility for the exploitation of Teleport data. Next, a lateral movement and data collection are performed, and then the binary file of the Clop-Milch program is launched.
The TelePort data is also notable for its ability to limit the download speed and file size, as a result of which data transfer is not found for monitoring programs. In addition, Teleport can erase its presence from the car.
Teleport analysis showed that the software is used exclusively to collect files from OneDrive and downloads, as well as messages from Outlook.
According to Cisco Talos, the delivery of Raspberry Robin has led to the creation of a botnet of more than 1000 systems that spread around the world, in particular, in Mexico, Brazil and Pakistan. Moreover, the campaign using Truebot combined more than 500 Windows servers located in the USA, Canada and Brazil.