TrueBot downloader trojan botnet activity has increased significantly in the past month, researchers say.
What is TrueBot?
Truebot is a downloader malware. As such, its main goal is to infect systems, collect information to help triage interesting targets, and deploy additional payloads. Once a system is infected, the malware collects information and sends it to the attacker’s command and control (C2)
Silence Group is a threat actor group which is attributed to this malware.Group-IB has linked the group with Russia’s EvilCorp (Indrik Spider) due to the downloaders they use being similar.
The attack chain commences with a drive-by-download from Chrome for the executable ‘update.exe’. The threat actors attempt to trick users into downloading and executing the above executable masquerading it as a software update.
Once executed the above file, it connected to 94[.]142.138.61, which is a Russian IP address that is known to be attributed to TrueBot. Then a second-stage executable ‘3ujwy2rz7v.exe’ was downloaded and executed via cmd.exe, then it connected to the C2 domain ‘dremmfyttrred[.]com’.
Carlisle said. “Once an organization is infected with this malware, it can quickly escalate and become a larger infection, similar to how ransomware spreads through a network.”
Indicators of Compromise
- 45.182.189[.]103
- Dremmfyttrred.com
- 94.142.138[.]61
- Locations: Russia, Panama
- Update.exe
- Document_26_apr_2443807.exe
- fe746402c74ac329231ae1b5dffa8229b509f4c15a0f5085617f14f0c1579040
- 172.64.155[.]188
- 104.18.32[.]68
- 3ujwy2rz7v.exe
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment