TrueBot Malware Employed by Clop Ransomware For Accessing Networks

TrueBot Malware Employed by Clop Ransomware For Accessing Networks

Security experts have observed an increase in the number of computers with the TrueBot malware downloader, developed by the Silence hacking gang that speaks Russian. This group, renowned for its large-scale financial institution heists, has started to move away from using phishing as a first point of breach.

According to an analysis of the group’s activities over the previous few months, the threat actor also uses Teleport – a new proprietary data exfiltration tool. Silence transmitted Clop ransomware, which is often used by TA505 hackers connected to the FIN11 group. More than 1,500 computers have been compromised by the malware that Silence hackers used to download shellcode, Cobalt Strike beacons, the Teleport exfiltration tool, the Grace malware, and the Clop ransomware.

Researchers at Cisco Talos examined the fresh attacks after noticing many new attack methods deployed after August 2022. The hackers used Truebot (Silence.Downloader) to infect computers in a few attacks between August and September by taking advantage of a severe flaw in Netwrix Auditor servers identified as CVE-2022-31199. The group turned to exploit USB devices in October 2022 to spread the Raspberry Robin worm, which frequently distributed IcedID, Bumblebee, and Truebot payloads, on PCs. 

Microsoft’s DEV-0950 threat actor, whose harmful behavior coincides with that of FIN11 and TA505 (known for employing Clop in extortion attempts), distributed the Clop ransomware, according to a report they released in October. TA505 is renowned for engaging Clop in extortion activities. Cisco Talos reports that the Truebot gang infected over 1,000 hosts, most of which were desktop computers in Mexico, Brazil, and Pakistan using Raspberry Robin.

Hackers that targeted Windows servers in November exposed SMB, RDP, and WinRM services on the open internet. Over 500 infections were counted by the researchers, with almost 75% occurring in the US. A first-stage module called Truebot can gather fundamental data and capture screenshots. Additionally, it steals details about Active Directory trust relationships, which the threat actor uses to organize their post-infection operations. The command and control (C2) server can then instruct Truebot to download DLLs, EXEs, BATs, or PS1 files, run new modules, load shellcode or DLLs into memory, or uninstall itself. 

The hackers employ Truebot to deploy the Grace malware (FlawedGrace, GraceWire), linked to the TA505 cybercriminal gang or Cobalt Strike beacons during the post-compromise phase. The attackers then use Teleport, which Cisco defines as a cutting-edge bespoke program created in C++ that aids data thieves in stealthy data breaches. Teleport and the C2 server’s communication channels are encrypted. In order to steal additional files, the operators might restrict the upload speed, filter files by size, or erase the payload. Everything here is intended to blend seamlessly with the victim machine. Additional options provided by Teleport include the ability to take data from OneDrive folders, gather the victim’s Outlook emails, or focus on a specific file extension. In other instances, the attackers use Cobalt Strike to move laterally to as many systems as possible before deploying the Clop ransomware.

“During the exploration and lateral movement phases, the attackers browsed key server and desktop file systems, connected to SQL databases, and collected data that was exfiltrated using the Teleport tool to an attacker-controlled server,” Cisco Talos researchers explain.

Since 2016, when the hackers silently broke into a bank but could not take money due to a problem with a payment order, researchers at cybersecurity firm Group-IB have been monitoring Silence/Truebot activities. In order to learn how the money transfer process works, the attacker struck the same target again and began to observe the bank employee’s behavior by collecting screenshots and streaming video from the compromised machine. According to Group-IB’s information, they launched their first successful heist in 2017, hacking ATM networks and taking more than $100,000 in a single evening.

Between 2016 and 2019, Silence maintained their attacks for three years and stole at least $4.2 million from banks in the former Soviet Union, Europe, Latin America, and Asia. Researchers from Group-IB characterize Silence hackers as highly talented, able to tweak malware through reverse engineering or adapt an attack used by nation-state group Fancy Bear down to the level of assembly instructions. They can create their tools as well. Initially, the attacker mainly targeted organizations in Russia, but over the past several years, Silence has broadened its target audience to include all countries.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.