New Truebot Malware Variant Leveraging Netwrix Auditor Bug and Raspberry Robin Worm

Dec 09, 2022Ravie Lakshmanan

Cybersecurity researchers have reported an increase in
TrueBot infections, primarily targeting Mexico,
Brazil, Pakistan, and the U.S.

Cisco Talos said the attackers behind the operation have moved
from using malicious emails to alternative delivery methods such as
the exploitation of a now-patched remote code execution (RCE) flaw
in Netwrix auditor as well as the Raspberry Robin worm.

“Post-compromise activity included data theft and the execution
of Clop ransomware,” security researcher Tiago Pereira said^[1]
in a Thursday report.

TrueBot is a Windows malware downloader that’s attributed to a
threat actor tracked by Group-IB as Silence^[2], a Russian-speaking crew
believed to share associations^[3]
with Evil Corp (aka DEV-0243) and TA505^[4].

The first-stage module functions as an entry point for
subsequent post-exploitation activities, including information
theft using a hitherto unknown custom data exfiltration utility
dubbed Teleport, the cybersecurity firm said.

The use of Raspberry Robin – a worm mainly spread through
infected USB drives – as a delivery vector for TrueBot was highlighted^[5]
recently by Microsoft, which it said is part of a “complex and
interconnected malware ecosystem.”

In what’s a further sign of enmeshed collaboration with other
malware families, Raspberry Robin has also been observed deploying
FakeUpdates^[6]
(aka SocGholish) on compromised systems, ultimately leading to
ransomware-like behavior linked to Evil Corp.

Microsoft is tracking the operators of the USB-based malware as
DEV-0856 and the Clop ransomware attacks that happen via Raspberry
Robin and TrueBot under the emerging threat cluster DEV-0950.

“DEV-0950 traditionally uses phishing to acquire the majority of
their victims, so this notable shift to using Raspberry Robin
enables them to deliver payloads to existing infections and move
their campaigns more quickly to ransomware stages,” the Windows
maker noted in October 2022.

The latest findings from Cisco Talos show that the Silence APT
carried out a small set of attacks between mid-August and September
2022 by abusing a critical RCE vulnerability^[7] in Netwrix auditor
(CVE-2022-31199^[8], CVSS score: 9.8) to
download and run TrueBot.

The fact that the bug was weaponized merely a month after its
public disclosure by Bishop Fox in mid-July 2022 suggests that
“attackers are not only on the lookout for new infection vectors,
but are also able to quickly test them and incorporate them into
their workflow,” Pereira said.

TrueBot infections in October, however, entailed the use of a
different attack vector – i.e., Raspberry Robin – underscoring
Microsoft’s assessment about the USB worm’s central role as a
malware distribution platform.

The primary function of TrueBot is to collect information from
the host and deploy next-stage payloads such as Cobalt Strike,
FlawedGrace, and Teleport. This is followed by the execution of the
ransomware binary after harvesting relevant information.

The Teleport data exfiltration tool is also notable for its
ability to limit upload speeds and file sizes, thereby causing the
transmissions to go undetected by monitoring software. On top of
that, it can erase its own presence from the machine.

A closer look at the commands issued via Teleport reveals that
the program is being exclusively used to collect files from
OneDrive and Downloads folders as well as the victim’s Outlook
email messages.

“The Raspberry Robin delivery led to the creation of a botnet of
over 1,000 systems that is distributed worldwide, but with
particular focus on Mexico, Brazil, and Pakistan,” Pereira
said.

The attackers, however, appear to have switched to an unknown
TrueBot distribution mechanism starting in November, with the
vector succeeding in co-opting over 500 internet-facing Windows
servers located in the U.S., Canada, and Brazil into a botnet.