Cybersecurity researchers have reported an increase in TrueBot infections, primarily targeting Mexico, Brazil, Pakistan, and the U.S.
Cisco Talos said the attackers behind the operation have moved from using malicious emails to alternative delivery methods such as the exploitation of a now-patched remote code execution (RCE) flaw in Netwrix auditor as well as the Raspberry Robin worm.
"Post-compromise activity included data theft and the execution of Clop ransomware," security researcher Tiago Pereira said in a Thursday report.
TrueBot is a Windows malware downloader that's attributed to a threat actor tracked by Group-IB as Silence, a Russian-speaking crew believed to share associations with Evil Corp (aka DEV-0243) and TA505.
The first-stage module functions as an entry point for subsequent post-exploitation activities, including information theft using a hitherto unknown custom data exfiltration utility dubbed Teleport, the cybersecurity firm said.
The use of Raspberry Robin – a worm mainly spread through infected USB drives – as a delivery vector for TrueBot was highlighted recently by Microsoft, which it said is part of a "complex and interconnected malware ecosystem."
In what's a further sign of enmeshed collaboration with other malware families, Raspberry Robin has also been observed deploying FakeUpdates (aka SocGholish) on compromised systems, ultimately leading to ransomware-like behavior linked to Evil Corp.
Microsoft is tracking the operators of the USB-based malware as DEV-0856 and the Clop ransomware attacks that happen via Raspberry Robin and TrueBot under the emerging threat cluster DEV-0950.
"DEV-0950 traditionally uses phishing to acquire the majority of their victims, so this notable shift to using Raspberry Robin enables them to deliver payloads to existing infections and move their campaigns more quickly to ransomware stages," the Windows maker noted in October 2022.
The latest findings from Cisco Talos show that the Silence APT carried out a small set of attacks between mid-August and September 2022 by abusing a critical RCE vulnerability in Netwrix auditor (CVE-2022-31199, CVSS score: 9.8) to download and run TrueBot.
The fact that the bug was weaponized merely a month after its public disclosure by Bishop Fox in mid-July 2022 suggests that "attackers are not only on the lookout for new infection vectors, but are also able to quickly test them and incorporate them into their workflow," Pereira said.
Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!Join the Session
TrueBot infections in October, however, entailed the use of a different attack vector – i.e., Raspberry Robin – underscoring Microsoft's assessment about the USB worm's central role as a malware distribution platform.
"These connections [between Silence, Raspberry Robin, and Evil Corp] are made based on the observation of attack flows," Pereira told The Hacker News. "However, our observation strengthens the connection that has been previously made by others between TrueBot and TA505 because of the delivery of Grace malware, which is linked to TA505."
The primary function of TrueBot is to collect information from the host and deploy next-stage payloads such as Cobalt Strike, FlawedGrace, and Teleport. This is followed by the execution of the ransomware binary after harvesting relevant information.
The Teleport data exfiltration tool is also notable for its ability to limit upload speeds and file sizes, thereby causing the transmissions to go undetected by monitoring software. On top of that, it can erase its own presence from the machine.
A closer look at the commands issued via Teleport reveals that the program is being exclusively used to collect files from OneDrive and Downloads folders as well as the victim's Outlook email messages.
"The Raspberry Robin delivery led to the creation of a botnet of over 1,000 systems that is distributed worldwide, but with particular focus on Mexico, Brazil, and Pakistan," Pereira said.
The attackers, however, appear to have switched to an unknown TrueBot distribution mechanism starting in November, with the vector succeeding in co-opting over 500 internet-facing Windows servers located in the U.S., Canada, and Brazil into a botnet.