Activities from a Truebot Infections

Category: Malware Campaign | Industry: Global | Level: Tactical | Source: Cisco Talos

Cisco Talos' latest threat advisory shares details of Truebot malware activity due to a rise in infections since August 2022. Threat actors linked to the malware include Silence Group and TA505 (aka Evil Corp). Delivery methods used to distribute Truebot malware include phishing emails, botnets, USB infections, and the Raspberry Robin malware has often dropped Truebot as part of its infection chain as well. Once dropped on the infected system, the Truebot downloader malware will survey the environment and facilitate the download of payloads needed by the adversaries in their campaign.

"As a downloader tool, there are also some features that were not present in previously documented versions of the malware. Besides downloading and executing files, the malware is now able to load and execute additional modules and shellcodes in memory, making the payloads less likely to be detected." Post-compromise activity following Truebot infections often leads to data exfiltration and the deployment of Clop ransomware. Custom data exfiltration tools were observed in Truebot campaigns by Cisco Talos, including 'Teleport,' used extensively for data theft. The presence of Grace malware, in Truebot infections, links the connection to the threat actor, TA505.

Anvilogic Scenario:

• Malware Download/Recon & Process Injection

Anvilogic Use Cases:

• Suspicious File written to Disk
• Rundll32 Command Line
• WinRM Tools

‍