December 12, 2022

Cisco Talos, a cybersecurity research firm, has reported an increase in TrueBot infections, primarily targeting Mexico, Brazil, Pakistan, and the United States.

Recent attacks made use of a now-patched vulnerability (CVE-2022-31199) in Netwrix Auditor, an IT asset management tool, as well as the Raspberry Robin worm.

The experts emphasized that the attacks occurred only a few weeks after the vulnerability was publicly disclosed, implying that threat actors rapidly test new attack vectors. The researchers believe, with moderate confidence, that threat actors began using yet another distribution technique in November.

According to Cisco Talos, the Truebot gang used Raspberry Robin to infect over 1,000 hosts, many of which were desktop computers not accessible via the public internet, primarily in Mexico, Brazil, and Pakistan.

The hackers targeted Windows servers in November, exposing SMB, RDP, and WinRM services to the public internet. The researchers counted over 500 infections, with roughly 75% of them occurring in the United States.

TrueBot’s primary function is to gather data from the host and deploy next-stage payloads such as Cobalt Strike, FlawedGrace, and Teleport. Following the harvesting of relevant information, the ransomware binary is executed. The Teleport data exfiltration tool is also notable for its ability to restrict upload speeds and file sizes, allowing transmissions to pass unnoticed by monitoring software. Furthermore, it has the ability to remove its own presence from the machine.

The sources for this piece include an article in BleepingComputer.