VMware’s Carbon Black Managed Detection and Response (MDR) team has detected a significant increase in TrueBot activity during May 2023, raising concerns among researchers. TrueBot, a downloader known for its association with the threat actor TA505 (aka Evil Corp), has been active since 2017 and has recently exhibited malicious behavior by deploying the Clop Ransomware. The attackers exploit vulnerabilities in Netwrix auditor and employ Raspberry Robin as delivery vectors.
The attack chain begins with a deceptive drive-by-download from Chrome, masquerading as a software update with the file name ‘update.exe’. Once executed, the file establishes a connection to a Russian IP address known to be attributed to TrueBot. It then proceeds to download and execute a second-stage executable called ‘3ujwy2rz7v.exe’ via cmd.exe, connecting to the command and control (C2) domain ‘dremmfyttrred[.]com’. The TrueBot malware proceeds to dump LSASS, exfiltrate data, and perform system and process enumerations.
According to the report, TrueBot poses a significant threat to networks, as it can quickly escalate into a larger infection, similar to the spread of ransomware throughout a network. However, Carbon Black’s MDR capabilities enable early detection and containment of TrueBot and its associated activities, mitigating the potential for widespread network compromise. The report emphasizes the importance of proactive detection and containment measures to minimize the impact of such malware attacks.
The report concludes by providing Indicators of Compromise (IoCs) to help organizations identify and respond to TrueBot attacks. By leveraging Carbon Black’s advanced detection capabilities and collaborating with MDR, organizations can effectively detect and contain TrueBot early in the attack chain, preventing further escalation of the threat and minimizing potential damage to their networks.
