Truebot Botnet Adopts New Techniques for Data Exfiltration - CISA Alert AA23-187A

Updated on July 10th, 2023

On July 6th, 2023, The Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on Truebot malware developed by the Russian cyber threat group Silence [1]. Truebot malware was first observed in 2017 and has improved its capabilities with new attack techniques with different variants. The latest addition to its arsenal is Netwrix CVE-2022-31199 Remote Code Execution vulnerability, and there is a significant rise in Truebot infection in US and Canada base networks.

In this blog, we explained Truebot malware and its Tactics, Techniques, and Procedures (TTPs) in detail.

Simulate Malware Attacks with 14-Day Free Trial of Picus Platform

What is Truebot Malware?

Truebot malware, also known as Silence.Downloader, is a botnet developed by the Silence threat group. The malware was first seen in 2017 and has been active with different variants since then. Truebot is a highly versatile, advanced, and highly dangerous malware variant used by threat actors for malicious purposes. Its infection vectors include phishing campaigns and software vulnerabilities, allowing unauthorized access, lateral movement, data exfiltration, and various other nefarious activities.

Once deployed, Truebot has the ability to gain unauthorized access to systems, collect sensitive data, and move laterally within a compromised network. The malware also has the capability to inject other payloads, such as Cobalt Strike and FlawedGrace (aka GraceWire), to further facilitate malicious activities. Truebot has been attributed to various threat groups, including Silence Group, TA505 (Evil Corp), Lace Tempest, and FIN11. 

The ultimate impact of Truebot attacks can vary, but in some cases, it has led to data exfiltration, deployment of ransomware, and destruction of system files using wiper malware. To mitigate the risk of Truebot attacks, organizations should implement robust security measures and validate them.

MITRE ATT&CK Tactics used by TrueBot

1. Initial Access

MITRE ATT&CK Techniques used by Truebot for Initial Access

• T1091 Replication Through Removable Media 

• T1189 Drive-by Compromise

• T1190 Exploit Public Facing Applications

• T1566 Phishing

Truebot primarily gains access to target systems through meticulously crafted phishing campaigns that disguise themselves as legitimate files or software updates. These phishing emails are carefully designed to deceive recipients and entice them to open malicious attachments or click on malicious links. By posing as trusted entities, Truebot successfully tricks victims into downloading and executing the malware.

Recently, Truebot also added theT1190 Exploit Public Facing Applications technique to its toolset to gain initial access to target systems. The most notable of which is the CVE-2022-31199 remote code execution vulnerability found in Netwrix Auditor. The vulnerability  has a CVSS score of 9.8 (Critical). Organizations are advised to 

Update their Netwrix Auditor to version 10.5 to mitigate the vulnerability.

2. Execution

MITRE ATT&CK Techniques used by Truebot for Execution

• T1059 Command and Scripting Interpreter

• T1129 Shared Modules

• T1024.001 User Execution: Malicious Link

Once Truebot infiltrates a system successfully, it immediately takes steps to conceal its presence and establish a foothold. It first renames itself to avoid detection and then proceeds to load additional malware payloads onto the compromised system.

Truebot has been observed to frequently deploy the FlawedGrace remote access tool (RAT) and Cobalt Strike. Using these persistent remote access tools, threat actors send and execute PowerShell commands over a C2 channel.

Adversaries also masquerade their malicious payloads as Google Chrome software updates and trick victims into executing them.

3. Persistence

MITRE ATT&CK Techniques used by Truebot for Persistence

• T1574.002 Hijack Execution Flow: DLL Side-Loading

To ensure its prolonged existence on infected systems, Truebot employs various techniques for establishing persistence. These techniques include creating scheduled tasks, modifying registry entries, and altering print spooler programs. By utilizing these persistence mechanisms, Truebot can maintain its presence on compromised systems even after system restarts or security measures are applied.

For persistent connection to victims' networks, adversaries also use  tools such as Cobalt Strike, FlawedGrace, and Raspberry Robin.

4. Privilege Execution

MITRE ATT&CK Techniques used by Truebot for Privilege Escalation

• T1547.012 Boot or Logon Autostart Execution: Print Processors

Truebot exploits vulnerabilities within Windows services and manipulates permissions to escalate its privileges on the compromised system. It takes advantage of weaknesses in these services and utilizes them to gain higher levels of access and control. For instance, the malware leverages a Windows default behavior related to changing service permissions, allowing it to escalate its privileges without detection.

5. Defense Evasion

MITRE ATT&CK Techniques used by Truebot for Defense Evasion

• T1027 Obfuscated Files or Information

• T1036 Masquerading

• T1055 Process Injection

• T1070.004 Indicator Removal: File Deletion

• T1112 Modify Registry

• T1620 Reflective Code Loading

Truebot developers employ sophisticated techniques to evade detection by traditional security solutions. They utilize various methods to disguise the malware within legitimate file formats, making it harder for security systems to identify and block. Additionally, Truebot employs encoding and encryption methods to obfuscate its activities, making it more difficult for security analysts to analyze and detect its malicious activities. The malware also modifies registry settings to evade detection and disable security monitoring tools such as Windows Defender.

6. Credential Access

Truebot employs various strategies to gain access to valuable credentials within the compromised system. It exploits vulnerabilities to extract passwords from the registry using remote dumping tools, hunt for stored credentials on the compromised system, or utilizes Pass-the-Hash techniques to run commands on remote hosts. By obtaining valid credentials, Truebot gains unauthorized access to critical systems and resources within the targeted organization.

MITRE ATT&CK Techniques used by Truebot for Credential Access

• T1003.001 OS Credential Dumping: LSASS Memory

7. Discovery

MITRE ATT&CK Techniques used by Truebot for Discovery

• T1016 System Network Configuration Discovery

• T1057 Process Discovery

• T1082 System Information Discovery

• T1124 System Time Discovery

• T1518.001 Software Discovery: Security Software Discovery

• T1622 Debugger Evasion

After infiltrating a compromised network, Truebot conducts extensive reconnaissance and discovery activities to gather information about the environment. It collects information about running processes, network topology, software security protocols, and domain administrators. Additionally, Truebot searches for open shares and gathers information about mapped shares on compromised systems. This information is crucial for the threat actor to understand the network infrastructure and identify valuable targets for further exploitation.

8. Lateral Movement

MITRE ATT&CK Techniques used by Truebot for Lateral Movement

• T1210 Exploitation of Remote Services

• T1550.002 Use Alternate Authentication Material: Pass the Hash 

• T1563 Remote Service Session Hijacking

• T1570 Lateral Tool Transfer

Truebot leverages tools like Cobalt Strike and the atexec module in Impacket to move laterally within the compromised network. These tools enable threat actors to execute commands on remote systems, gain access to additional hosts, and extract sensitive data. By moving laterally, Truebot expands its reach and increases its control over the compromised network, allowing for deeper penetration and prolonged persistence.

9. Collection

MITRE ATT&CK Techniques used by Truebot for Collection

• T1005 Data from Local System

• T1113 Screen Capture

Truebot possesses the capability to collect sensitive data from infected systems. It can capture screenshots, retrieve computer and domain names, and extract information from active directory trust relationships. This data collection enables the threat actor to gain insight into the compromised organization's infrastructure, systems, and users.

10. Exfiltration

MITRE ATT&CK Techniques used by Truebot for Exfiltration

• T1029 Scheduled Transfer 

• T1030 Data Transfer Size Limits 

• T1048 Exfiltration Over C2 Channel

To transfer stolen data from compromised systems to external servers controlled by the threat actors, Truebot utilizes its custom exfiltration tool called "Teleport." This tool ensures the secure and seamless transfer of sensitive information, increasing the difficulty of detection. The stolen data is often encrypted, adding an additional layer of protection against detection and interception.

11. Impact

The impact of a Truebot attack can be severe and varied. It typically involves the theft of sensitive data, such as personally identifiable information (PII), financial records, or intellectual property. Truebot may also deploy additional malware payloads, such as ransomware, to encrypt critical files and extort payment from the targeted organization. In some cases, Truebot may employ wiper malware to destroy system files, causing significant disruptions and financial losses. The prime objective of the threat actors utilizing Truebot is typically financial gain through extorting victims or selling stolen data on the dark web. The consequences of a Truebot attack can be devastating for the targeted organization, leading to reputational damage, financial losses, and operational disruptions.

Tools Used by Truebot Botnet

Each of the tools in this section plays a significant role in the operations carried out by Truebot and its associated threat actors. They provide advanced capabilities and functionalities that enable threat actors to execute sophisticated attacks, evade detection, and maintain control over the compromised systems. Understanding the tools employed by Truebot is essential for developing effective defense strategies and mitigating the risks associated with this formidable malware variant.

1. Teleport

Teleport is a custom-made data exfiltration tool exclusively employed by Truebot to extract sensitive information from compromised systems. It plays a critical role in facilitating the seamless transfer of stolen data from compromised systems to external servers controlled by the threat actors. Teleport encrypts the stolen data and establishes encrypted connections with the command and control infrastructure, enhancing the difficulty of detection. This tool enables Truebot operators to efficiently exfiltrate valuable information without raising suspicions or triggering security alerts.

2. FlawedGrace (aka GraceWire)

FlawedGrace is a remote access tool (RAT) frequently deployed alongside Truebot. It provides threat actors with advanced capabilities for carrying out malicious activities within compromised systems. This RAT enables threat actors to establish persistence on the compromised system, escalate privileges, and execute various commands remotely. FlawedGrace allows threat actors to extract valuable data, exfiltrate sensitive information, and maintain control over the compromised system. Its sophisticated features make it a potent tool in the arsenal of Truebot operators.

3. Cobalt Strike

Cobalt Strike is a widely used and highly popular post-exploitation tool employed by threat actors, including those associated with Truebot operations. It offers a range of advanced capabilities and functionalities, including lateral movement, data exfiltration, and the execution of advanced techniques for network exploitation. Cobalt Strike enables threat actors to move laterally within a compromised network, gain unauthorized access to additional hosts, and extract sensitive information. Its powerful features and flexibility make it a preferred tool for orchestrating comprehensive and targeted attacks.

4. Raspberry Robin

Raspberry Robin serves as a malware distribution platform that consistently delivers Truebot and other associated malware variants. It plays a crucial role in the initial delivery and propagation of Truebot within targeted systems. Raspberry Robin is responsible for ensuring the widespread distribution of the malware, allowing threat actors to maximize their reach and infect a large number of systems. By leveraging this distribution platform, Truebot operators can effectively exploit vulnerabilities and launch coordinated attacks against targeted organizations.

5. Impacket

Impacket is a collection of Python classes and utilities that is frequently utilized by Truebot for network protocol communication and manipulation. It offers a wide range of functionalities that enable threat actors to carry out various malicious activities within the compromised network. Impacket is particularly instrumental in facilitating lateral movement and credential access, allowing threat actors to move laterally and expand their control over the compromised systems. By leveraging Impacket, Truebot operators can exploit weaknesses in network protocols, execute commands on remote hosts, and gain access to valuable credentials.

How Picus Helps Simulate Truebot Malware Attacks?

We also strongly suggest simulating Truebot malware attacks to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus The Complete Security Validation Platform. You can also test your defenses against other botnet malware, such as Mirai, Emotet, Ramnit, and Necurs, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for Truebot malware and Silence Threat Group:

Moreover, Picus Threat Library contains 300+ threats containing 3000+ web application and vulnerability exploitation attacks in addition to 1500+ endpoint, 8000+ malware, email and data exfiltration threats as of today.

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address Truebot malware and other malware attacks in preventive security controls. Currently, Picus Labs validated the following signatures for Truebot malware:

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trial  of Picus The Complete Security Validation Platform.

References

[1] "Increased Truebot Activity Infects U.S. and Canada Based Networks," Cybersecurity and Infrastructure Security Agency CISA. [Online]. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-187a. [Accessed: Jul. 08, 2023]