Truebot RCE Attacks Exploit Critical Netwrix Auditor Bug

July 7, 2023 TH Author headline,hacker,malware,trojan,flaw,backdoor

Organizations in the U.S. and Canada are being targeted by new versions of the Truebot downloader trojan botnet, adapted to exploit a critical remote code execution (RCE) vulnerability in Netwrix Auditor software.

TrueBot, also known as Silence.Downloader, has been tied to a suspected Russian threat operation Silence, which is linked to Evil Corp and the TA505 threat cluster. The Clop ramsonware gang, recently in the headlines for its attacks on MOVEit Transfer users, is among those who have previously used Truebot to exfiltrate data from victims.

The latest wave of Truebot attacks prompted an advisory on Thursday released jointly by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigations (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC) and the Canadian Centre for Cyber Security (CCCS).

In the advisory, the agencies said they had observed an increase in threat actors’ use of the botnet as recently as May 31.

Truebot variants have previously been delivered primarily via malicious phishing email attachments, the advisory said. With the newly observed versions, however, access to compromised systems can also be gained by exploiting a now-patched RCE vulnerability in Netwrix Auditor, a tool for tracking and analyzing changes in IT environments.

The Netwrix Auditor vulnerability, CVE-2022-31199, has a CVSS v3 rating of 9.8 and was patched in June 2022.

One trojan, two delivery methods

In their advisory, the four agencies said threat actors were currently leveraging both the Netwrix Auditor vulnerability and phishing campaigns with malicious redirect hyperlinks to drop the new Truebot variants.

As well as duping recipients into clicking a hyperlink to execute malware, “attackers have also been observed concealing email attachments (executables) as software update notifications that appear to be legitimate,” the advisory said.

“Following interaction with the executable, users will be redirected to a malicious web domain where script files are then executed.”

While that remained a prominent delivery method, the hackers had “shifted tactics” and begun taking advantage of the Netwrix Auditor RCE vulnerability.

“Through exploitation of this CVE, cyber threat actors gain initial access, as well as the ability to move laterally within the compromised network,” the advisory said.

Multiple tools used in attacks

“Following the successful download of the malicious file, Truebot renames itself and then loads FlawedGrace onto the host,” the advisory said.

FlawedGrace is a remote access tool (RAT) that can receive incoming commands from a command-and-control server sent over a custom binary protocol using port 443 to deploy additional tools.

“Typically a few hours after Truebot’s execution phase, cyber threat actors have been observed deploying additional payloads containing Cobalt Strike beacons for persistence and data exfiltration purposes,” the advisory said.

Cobalt Strike is a red team penetration testing tool used in attack simulations. Cracked versions of the tool have become increasingly popular with threat actors.

“Cyber threat actors use Cobalt Strike to move laterally via remote service session hijacking, collecting valid credentials through LSASS memory credential dumping, or creating local admin accounts to achieve pass the hash alternate authentication,” the advisory said.

Raspberry Robin, a wormable malware with links to other malware families and various infection methods, has also been observed as part of the Truebot attacks.

“Raspberry Robin has evolved into one of the largest malware distribution platforms and has been observed deploying Truebot, as well as other post-compromise payloads such as IcedID and Bumblebee malware.”

How to mitigate the risk

The agencies who authored the advisory set out a range of recommendations for mitigating the risk of Truebot attacks, including mandating phishing-resistant multifactor authentication (MFA) for all staff and services.

The advisory includes indicators of compromise (IOCs) and detection rules to help organizations protect themselves against the new activity.

Additionally, to minimize the risk to Netwrix Auditor users from the new variants of Truebot targeting the application, Netwrix recommends using its solution only on internally facing networks.