Jul 7 – Cyber attackers are now using new Truebot malware variants to execute attacks against organizations in the U.S. and Canada, multiple cyber security agencies have warned. Attackers are stealing data from victims for financial gain.
According to the Cybersecurity and Infrastructure Security Agency (CISA), along with the Canadian Centre for Cyber Security and the Multi-State Information Sharing and Analysis Center, initial versions of Truebot variants could only deliver malicious attachments through phishing emails.
However, cyber attackers have shifted their tactics. Newer malware variants can also access victims’ networks by exploiting a remote code execution flaw.
“As recently as May 31, 2023, the authoring organizations have observed an increase in cyber threat actors using new malware variants of Truebot (also known as Silence.Downloader),” notes the agencies’ advisory.
Hackers may choose to leverage several other malware and tools alongside the botnet. These include a wormable malware, known as Raspberry Robin, a remote access tool called Flawed Grace, the penetration testing tool Cobalt Strike, and a data exfiltration tool, known as Teleport.
A complete technical deep-dive, including indicators of compromise, is available via the advisory.
Truebot has recently been used in cyber attack campaigns launched by the Clop Ransomware Gang, a prolific ransomware group that has recently claimed responsibility for attacks against customers of Progress Software’s managed file transfer (MFT) product, MoveIT Transfer.
Truebot is linked to the Rusian-speaking Silence cyber crime group. It’s also used by the TA505 hackers (associated with the FIN11 group) to deploy ransomware, to establish persistence within hacked systems, and for data theft purposes.
Cyber security agencies recommend that organizations scan for malicious activity and apply relevant vendor patches.
“Any organization identifying indicators of compromise (IOCs) within their environment should urgently apply the incident responses and mitigation measures detailed in this [cybersecurity advisory] and report the intrusion to CISA or the FBI.”
Further, be sure that your organization uses multi-factor authentication (MFA) to help stop hackers.