A surge in TrueBot activity was observed in May 2023, cybersecurity researchers disclosed.
"TrueBot is a downloader trojan botnet that uses command and control servers to collect information on compromised systems and uses that compromised system as a launching point for further attacks," VMware's Fae Carlisle said.
Active since at least 2017, TrueBot is linked to a group known as Silence that's believed to share overlaps with the notorious Russian cybercrime actor known as Evil Corp.
Recent TrueBot infections have leveraged a critical flaw in Netwrix Auditor (CVE-2022-31199, CVSS score: 9.8) as well as Raspberry Robin as delivery vectors.
The attack chain documented by VMware, on the other hand, starts off with a drive-by-download of an executable named "update.exe" from Google Chrome, suggesting that users are lured into downloading the malware under the pretext of a software update.
Once run, update.exe establishes connections with a known TrueBot IP address located in Russia to retrieve a second-stage executable ("3ujwy2rz7v.exe") that's subsequently launched using Windows Command Prompt.
The executable, for its part, connects to a command-and-control (C2) domain and exfiltrates sensitive information from the host. It's also capable of process and system enumeration.
"TrueBot can be a particularly nasty infection for any network," Carlisle said. "When an organization is infected with this malware, it can quickly escalate to become a bigger infection, similar to how ransomware spreads throughout a network."
The findings come as SonicWall detailed a new variant of another downloader malware known as GuLoader (aka CloudEyE) that's used to deliver a wide range of malware such as Agent Tesla, Azorult, and Remcos.
"In the latest variant of GuLoader, it introduces new ways to raise exceptions that hamper complete analysis process and its execution under controlled environment," SonicWall said.
