Security experts have observed an increase in the number of devices infected with the TrueBot malware downloader developed by the Russian-speaking hacking group Silence. The Silence group, notorious for its large-scale thefts from financial institutions, has shifted away from phishing as an initial attack vector. Analysis of Silence’s attacks over the previous few months indicated that the group delivered Clop ransomware, which is normally used by TA505 hackers, who are affiliated with the FIN11 group. Early in 2021, the transport system for New South Wales was compromised by the Clop ransomware, which exploited a zero-day vulnerability in Accellion FTA’s secure file-sharing application to download and steal files.
Silence hackers have implanted their software on over 1,500 systems throughout the globe in order to retrieve shellcode, Cobalt Strike beacons, the Grace malware, the Teleport exfiltration tool, and the Clop ransomware. In a small number of attacks between August and September, hackers exploited a major vulnerability in Netwrix Auditor servers, identified as CVE-2022-31199, to infect systems with Truebot. In October 2022, the group began infecting PCs with the Raspberry Robin worm through USB devices, which frequently contained IcedID, Bumblebee, and Truebot payloads.
Truebot is a first-stage module capable of gathering basic information and capturing screenshots. Additionally, it exfiltrates Active Directory trust relations data, which assists the threat actor in planning post-infection activity. The C2 server can then instruct Truebot to run more modules, uninstall itself, or download DLLs, EXEs, BATs, and PS1 files. In the post-compromised phase, the hackers employ Truebot to drop Cobalt Strike beacons or the TA505-attributed Grace malware.
