Truebot Malware: Complete Guide 

The Canadian Centre for Cyber Security (CCCS) and the Multi-State Information Sharing and Analysis Center have warned about newly identified TrueBot malware variants used against organizations in the US and Canada.

The impact of a Truebot attack can be severe and varied, involving the theft of sensitive data such as personally identifiable information (PII), financial records, or intellectual property. Truebot may also deploy additional malware payloads, such as ransomware, to encrypt critical files and extort payment from the targeted organization.

CISA and its partners have released a joint cybersecurity advisory on Truebot malware variants that explains how Truebot has been observed in association with Raspberry Robin and how cybercriminals can gain initial access, as well as the ability to move laterally within the compromised network.

SalvageData experts recommend proactive data security measures, such as regular backups, strong cybersecurity practices, and keeping software up to date, to protect against malware attacks. And, in case of a malware attack, contact our malware recovery experts immediately.

What kind of malware is Truebot?

Truebot can be identified as both a botnet malware and a Trojan.Downloader. It has been used by malicious cyber groups like Cl0p Ransomware Gang to collect and exfiltrate information from its target victims.

It is capable of downloading and executing additional payloads, making it an ideal malware for IAB groups that want to plant a backdoor on a system and do some basic reconnaissance of the network. The Truebot malware scans the compromised environment for debugger tools and enumerates them to evade network defenses. To maintain its stealth, the malware limits the data it collects and syncs with outbound organizational data/network traffic.

What is a botnet malware?

A botnet is a network of internet-connected devices, such as computers, servers, mobile devices, and Internet of Things (IoT) devices, that are infected and controlled by malware. The malware infects the devices and creates a bot, which is controlled remotely by the attacker or bot-herder.

The botnet malware typically looks for devices with vulnerable endpoints across the internet, rather than targeting specific individuals, companies, or industries.

The objective of creating a botnet is to infect as many connected devices as possible and to use the large-scale computing power and functionality of those devices for automated tasks that generally remain hidden from the users of the devices.

What is a Trojan.Downloader?

Trojan.Downloader is a type of Trojan malware that downloads and installs other malicious software or files onto a victim’s device without their knowledge or consent.

Trojan downloaders can be disguised as legitimate or useful software, such as a software update or a game, and are often distributed as part of the payload of another harmful program, such as a trojan-dropper. They can also be distributed as disguised files attached to spam emails, using a legitimate-sounding program or document names, such as ‘invoice’ or ‘accounts.exe’, as a simple form of social engineering.

Everything we know about Truebot malware

Confirmed Name

• Truebot virus

Threat Type

• Malware
• Trojan
• Password-stealing virus
• Banking malware
• Spyware

Payload

•  Raspberry Robin
• FlawedGrace
• Cobalt Strike
• Cl0p ransomware,

Distribution methods

• Social engineering
• Phishing
• Exploitation of CVE-2022-31199
• Malvertising
• Exploit Kits
• Pirated Software

Consequences

• Stolen passwords and banking information
• Identity theft
• Victim’s computer is added to a botnet.

How does Truebot malware infect a machine or network?

Malware, like ransomware, uses several tactics to infect machines and systems, most of them by exploiting vulnerabilities. These include not patched software and weak passwords.

Social Engineering

The attackers use social engineering tactics to manipulate people into sharing information they shouldn’t share, downloading software they shouldn’t download, visiting websites they shouldn’t visit, sending money to criminals, or making other mistakes that compromise their personal or organizational security.

Phishing

Truebot malware historically relied on phishing emails as the primary delivery method, tricking recipients into clicking malicious hyperlinks or concealing malware as software update notifications.

Exploitation of CVE-2022-31199 vulnerabilities

Truebot malware is actively exploiting CVE-2022-31199, a remote code execution vulnerability in the Netwrix Auditor User Activity Video Recording component that allows an unauthenticated remote attacker to execute arbitrary code as the NT AUTHORITY\SYSTEM user on affected systems, including on systems Netwrix Auditor monitors. The attackers use this vulnerability to deliver new Truebot malware variants and to collect and exfiltrate information from organizations in the U.S. and Canada.

Malvertising and Exploit Kits

Malvertising is the use of online advertising, that appears to be legit, to spread malware. Exploit kits are pre-packaged software that can be used to exploit vulnerabilities in a system.

Pirated Software

Attackers can infect pirated software with malware and distribute it through torrent sites or other file-sharing platforms.

Truebot malware methods of execution

Truebot malware is a sophisticated malware that uses various methods to infect systems and networks. The primary objective of a Truebot infection is to exfiltrate sensitive data from the compromised host(s) for financial gain.

Data Collection

During the first stage of Truebot’s execution process, it checks the current version of the operating system (OS) with RtlGetVersion and processor architecture using GetNativeSystemInfo.

During FlawedGrace’s execution phase, the RAT stores encrypted payloads within the registry. The tool can create scheduled tasks and inject payloads into msiexec.exe and svchost.exe, which are command processes that enable FlawedGrace to establish a command and control (C2) connection to a remote server, as well as load dynamic link libraries (DLLs) to accomplish privilege escalation. Several hours post initial access, Truebot has been observed injecting Cobalt Strike beacons into memory in a dormant mode for the first few hours before initiating additional operations.

Discovery and Defense Evasion

Following the initial checks for system information, Truebot can enumerate all running processes, collect sensitive local host data, and send this data to an encoded data string described below for second-stage execution.

Based on IOCs, Truebot also can discover software security protocols and system time metrics, which aids in defense evasion, as well as enables synchronization with the compromised system’s internal clock to facilitate scheduling tasks.

Truebot developers employ sophisticated techniques to evade detection by traditional security solutions. They utilize various methods to disguise the malware within legitimate file formats, making it harder for security systems to identify and block.

Additionally, Truebot employs encoding and encryption methods to obfuscate its activities, making it more difficult for security analysts to analyze and detect its malicious activities.

Data Exfiltration

Truebot established a connection using a newly generated globally unique identifier (GUID), and a second obfuscated domain to receive additional payloads, self-replicate across the environment, and/or delete files used in its operations.

Truebot malware can download additional malicious modules, load shell code, and deploy various tools to stealthily navigate an infected network.

Truebot Malware Indicators of Compromise (IOCs)

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory warning that multiple threat actor groups are using new Truebot malware variants in attacks against organizations in the US and Canada. The advisory contains indicators of compromise (IOCs) that organizations can use to identify Truebot activity within their environment. Organizations that identify IOCs within their environment should urgently apply the incident responses and mitigation measures detailed in the advisory and report the intrusion to CISA or the FBI.

Some of the IOCs companies should watch for are:

• Registrant – GKG[.]NET Domain Proxy Service Administrator
• IP – 193.3.19[.]173 (Russia)
• Domain – https://corporacionhardsoft[.]com/images/2/Document_16654.exe
• MD5 Hash – 6164e9d297d29aa8682971259da06848
• File – Document_may_24_16654[.]exe
• File – C:\Intel\RuntimeBroker[.]exe
• File – Document_16654[.]exe

How to handle a Truebot malware attack

The first step to recovering from a Truebot attack is to isolate the infected computer by disconnecting it from the internet and removing any connected device. Then, you must contact local authorities. In the case of US residents and businesses, it is the FBI and the Internet Crime Complaint Centre (IC3).

To report a malware attack you must gather every information you can about it, including:

• Screenshots of the ransom note
• Communications with threat actors (if you have them)
• A sample of an encrypted file

However, if you prefer to contact professionals, then do nothing. Leave every infected machine the way it is and ask for an emergency ransomware removal service. Restarting or shutting down the system may compromise the recovery service. Capturing the RAM of a live system may help get the encryption key, and catching a dropper file, i.e. file executing the malicious payload, might be reverse-engineered and lead to decryption of the data or understanding how it operates.

You must not delete the malware, and keep every evidence of the attack. That’s important for digital forensics so experts can trace back to the hacker group and identify them. It is by using the data on your infected system that authorities can investigate the attack and find the responsible. A cyber attack investigation is not different from any other criminal investigation: it needs evidence to find the attackers.

1. Contact your Incident Response provider

A Cyber Incident Response is the process of responding to and managing a cybersecurity incident. An Incident Response Retainer is a service agreement with a cybersecurity provider that allows organizations to get external help with cybersecurity incidents. It provides organizations with a structured form of expertise and support through a security partner, enabling them to respond quickly and effectively during a cyber incident.

An incident response retainer offers peace of mind to organizations, offering expert support before and in the aftermath of a cybersecurity incident. An incident response retainer’s specific nature and structure will vary according to the provider and the organization’s requirements. A good incident response retainer should be robust but flexible, providing proven services to enhance an organization’s long-term security posture.

If you contact your IR service provider, they can take over immediately and guide you through every step in the ransomware recovery. However, if you decide to remove the malware yourself and recover the files with your IT team, then you can follow the next steps.

2. Identify the malware infection

You can identify which malware infected your machine by using a ransomware ID tool.

You can also check the malware type by its IOCs. Indicators of Compromise (IOCs) are digital clues that cybersecurity professionals use to identify system compromises and malicious activities within a network or IT environment. They are essentially digital versions of evidence left at a crime scene, and potential IOCs include unusual network traffic, privileged user logins from foreign countries, strange DNS requests, system file changes, and more. When an IOC is detected, security teams evaluate possible threats or validate its authenticity. IOCs also provide evidence of what an attacker had access to if they did infiltrate the network.

3. Use a backup to restore the data

Backups are the most efficient way to recover data. Make sure to keep daily or weekly backups, depending on your data usage.

4. Contact a malware recovery service

If you don’t have a backup or need help removing the malware and eliminating vulnerabilities, contact a data recovery service. Paying the ransom does not guarantee your data will be returned to you. The only guaranteed way you can restore every file is if you have a backup. If you don’t, ransomware data recovery services can help you decrypt and recover the files.

SalvageData experts can safely restore your files and prevent Truebot malware from attacking your network again. Contact our experts 24/7 for ransomware recovery services.

Prevent the Truebot malware attack

Preventing malware is the best solution for data security. is easier and cheaper than recovering from them. Truebot malware can cost your business’s future and even close its doors.

These are a few tips to ensure you can avoid malware attacks:

• Keep your operating system and software up-to-date with the latest security patches and updates. This can help prevent vulnerabilities that can be exploited by attackers.
• Use strong and unique passwords for all accounts and enable two-factor authentication whenever possible. This can help prevent attackers from gaining access to your accounts.
• Be cautious of suspicious emails, links, and attachments. Do not open emails or click on links or attachments from unknown or suspicious sources.
• Use reputable antivirus and anti-malware software and keep it up-to-date. This can help detect and remove malware before it can cause damage.
• Use a firewall to block unauthorized access to your network and systems.
• Network segmentation to divide a larger network into smaller sub-networks with limited interconnectivity between them. It restricts attacker lateral movement and prevents unauthorized users from accessing the organization’s intellectual property and data.
• Limit user privileges to prevent attackers from gaining access to sensitive data and systems.
• Educate employees and staff on how to recognize and avoid phishing emails and other social engineering attacks.