A surge in TrueBot activity was observed in May 2023, cybersecurity researchers disclosed.
“TrueBot is a downloader trojan botnet that uses command and control servers to collect information on compromised systems and uses that compromised system as a launching point for further attacks,” VMware’s Fae Carlisle said.
Active since at least 2017, TrueBot is linked to a group known as Silence that’s believed to share overlaps with the notorious Russian cybercrime actor known as Evil Corp.
Recent TrueBot infections have leveraged a critical flaw in Netwrix auditor (CVE-2022-31199, CVSS score: 9.8) as well as Raspberry Robin as delivery vectors.
The attack chain documented by VMware, on the other hand, starts off with a drive-by-download of an executable named “update.exe” from Google Chrome, suggesting that users are lured into downloading the malware under the pretext of a software update.
Once run, update.exe establishes connections with a known TrueBot IP address located in Russia to retrieve a second-stage executable (“3ujwy2rz7v.exe”) that’s subsequently launched using Windows Command Prompt.
“TrueBot can be a particularly nasty infection for any network,” Carlisle said. “When an organization is infected with this malware, it can quickly escalate to become a bigger infection, similar to how ransomware spreads throughout a network.”
The findings come as SonicWall detailed a new variant of another downloader malware known as GuLoader (aka CloudEyE) that’s used to deliver a wide range of malware such as Agent Tesla, Azorult, and Remcos.
Source: https://thehackernews.com/
