The FBI and CISA have issued a warning regarding new variants of the Truebot malware, which is being deployed in attacks targeting organizations in the United States and Canada.
Furthermore, these attacks exploit a critical remote code execution vulnerability (CVE-2022-31199) in the Netwrix Auditor software, allowing unauthorized attackers to execute malicious code with system-level privileges.
Truebot, associated with the Silence cybercrime group and used by the TA505 hackers, is used to deploy Clop ransomware on compromised networks.
Once Truebot is installed on breached networks, the attackers proceed to install the FlawedGrace Remote Access Trojan (RAT), enabling them to escalate privileges and establish persistence on the compromised systems.
Additionally, they also deploy Cobalt Strike beacons for post-exploitation tasks, including data theft and the deployment of further malware payloads. The new variants of Truebot can exploit the CVE-2022-31199 vulnerability, allowing cyber threat actors to gain initial access without relying solely on phishing email attachments.
The primary objective of the Truebot attacks is to steal sensitive information from compromised systems for financial gain. Security teams are advised to be vigilant for signs of Truebot infections and follow the provided guidelines to detect and mitigate them.
Organizations using Netwrix’s IT system auditing software should promptly apply patches to address the vulnerability and update to version 10.5. Implementing phishing-resistant multifactor authentication (MFA) for all staff and services is also recommended to enhance security and protect critical systems from unauthorized access.
