A joint Cybersecurity Advisory (CSA) by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Canadian Centre for Cyber Security (CCCS) was recently released detailing the Trubot attack against Canadian and U.S. facilities.
The technical details provided describe the methods, behaviors, and associated tools connected to Truebot malware and the way in which cyber threat actors are leveraging it for malicious activities.
Initial Access and Execution
- Phishing: Truebot has historically been delivered through phishing emails, where malicious links or executable attachments disguised as software updates are sent to targets. Interaction with these leads to a redirection to a malicious web domain where scripts are executed. Various legitimate file formats can be leveraged to hide Truebot.
- Exploitation of CVE-2022-31199: This vulnerability in Netwrix Auditor allows cyber threat actors to gain initial access and move within the network. The remote code execution vulnerability is exploited, allowing for scaled malware deployment.
- Integration with FlawedGrace: After being downloaded, Truebot loads FlawedGrace, a remote access tool (RAT), to modify registry and print spooler programs. It helps escalate privileges and establish persistence, storing encrypted payloads and creating a command and control (C2) connection.
- Use of Cobalt Strike: Truebot has been seen injecting Cobalt Strike beacons into memory, another RAT that is used for further operations.
Discovery and Defense Evasion
- System Checks: Truebot checks OS version and processor architecture, designs junk code to hinder detection, and enumerates all running processes.
- Data Compilation and Encoding: It compiles and enumerates running process data into a base64 or hexadecimal encoded string, primarily for tracking and defense evasion.
Data Collection and Exfiltration
- Data Enumeration and Collection: Truebot enumerates processes and tools, collects system and domain names, and sends data to a hard-coded URL.
- Command and Control Connection: A POST request establishes a C2 connection, facilitating further downloads, replication, deletion of files, and navigation within the infected network.
Associated Delivery Vectors and Tools
- Raspberry Robin (Malware): Linked to Truebot and can spread through various methods.
- Flawed Grace (Malware): Deployed as an additional payload via Truebot.
- Cobalt Strike (Tool): Used for persistence and data exfiltration.
- Teleport (Tool): A custom data exfiltration tool that evades detection by encrypting data.
Truebot Malware Indicators of Compromise (IOCs)
The information provided also includes details of observed campaigns, redirection methods, associated domains, IP addresses, and hashes. This enables the tracking and understanding of the threat landscape concerning Truebot and associated threat actors.
Detection Methods
- Snort Signature: A specific Snort signature is provided for detecting Truebot malware by looking at the client HTTP header content. Snort is an open-source network intrusion detection system that can be used to detect various types of attacks.
- YARA Rules: CISA has developed YARA rules to detect the presence of Truebot malware. YARA is a tool designed to help malware researchers identify and classify malware samples. The rule you provided includes specific strings and conditions to match the pattern of the Truebot downloader.
Incident Response
If Truebot malware is detected, organizations are advised to:
- Quarantine or take offline potentially affected hosts.
- Collect and review artifacts like running processes, recent network connections, etc.
- Provision new account credentials and reimage compromised hosts.
- Report the compromise to CISA or local FBI field offices.
Mitigations
- Mandating phishing-resistant multifactor authentication (MFA).
- Applying patches and updates, including specific updates for CVE-2022-31199 and Netwrix Auditor to version 10.5.
- Implementing application controls and allowlisting remote access programs.
- Limiting the use of RDP, PowerShell, and other remote desktop services.
- Updating and logging PowerShell activities.
- Enabling enhanced PowerShell logging.
- Configuring Windows Registry for UAC approval.
- Auditing and managing user accounts with administrative privileges.
- Implementing time-based access and managing password policies according to NIST standards.
- Implementing network segmentation, network monitoring tools, real-time detection for antivirus software, and disabling unused ports.
- Considering adding an email banner for external emails.
- Ensuring backup data is encrypted and immutable.
- Testing and validating security controls according to the MITRE ATT&CK for Enterprise framework.
Outsourcing IT Support
Outsourcing Managed IT Services can address several of the issues related to the detection and mitigation of malware, including Truebot malware.
- Expertise and Specialization: Managed Service Providers (MSPs) often possess the expertise and specialized tools required to handle complex cybersecurity threats. They stay abreast of the latest malware, including Truebot, and other cyber threats, implementing necessary security measures.
- Continuous Monitoring and Incident Response: MSPs can offer 24/7 monitoring of your network for suspicious activities, enabling quicker response to threats. As recommended in the discussion, collecting and reviewing artifacts like running processes/services and unusual authentications would be part of their service.
- Patch Management and Updates: As mentioned, timely patching is essential. MSPs can take responsibility for keeping operating systems, software, and firmware up to date, even prioritizing patches known to be exploited.
- Implementing Multi-Factor Authentication (MFA) and Other Security Protocols: They can help mandate phishing-resistant MFA and implement best practices like network segmentation, antivirus software maintenance, and allowlisting remote access programs.
- Disaster Recovery and Backup: MSPs typically offer solutions for data recovery and regular backup, aligned with the best practices mentioned like maintaining offline backups and encrypting backup data.
- Compliance with Standards: Many MSPs ensure that your organization complies with national and international standards and frameworks, such as the NIST Cybersecurity Framework (CSF) mentioned in the text.
- Security Controls Validation: Through regular testing and validation of security controls, MSPs can fine-tune the security program, including technologies, people, and processes, in alignment with the MITRE ATT&CK for Enterprise framework mentioned.
- Education and Training: MSPs often provide training to the internal staff regarding security best practices, which can assist in implementing some of the recommendations like password policies and phishing resistance.
Outsourcing to an MSP shifts the burden of these complex and often time-consuming tasks from an organization to specialists whose main focus is IT security. This can enhance the protection against malware like Truebot, allowing organizations to concentrate on their core business functions.
However, it’s essential to ensure that the chosen MSP has the necessary expertise, resources, and commitment to security. Careful evaluation, clear agreements, and ongoing communication are key to a successful partnership with an MSP, ensuring that they meet the specific needs and standards of the organization.
References
- Increased Truebot Activity Infects U.S. and Canada Based Networks | CISA. (2023, July 6). Www.cisa.gov. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-187a
Elevate Your Business Operations Through Unmatched IT Excellence: Choose Second Star Technologies
Are you ready to take your business to the next level with optimized IT infrastructure? Second Star Technologies can help.
We offer a wide range of IT services, including network management, security solutions, and 24/7 support. Our team of experts will work with you to understand your needs and develop a customized solution that will help you achieve your business goals.
With Second Star Technologies, you can be confident that your IT infrastructure is secure, reliable, and scalable. We'll help you free up your time and resources so you can focus on what you do best: growing your business.
Contact us today to learn more about how we can help you reach your full potential.