TrueBot downloader trojan botnet activity has increased significantly in the past month, researchers say.
What is TrueBot?
Truebot is a downloader malware. As such, its main goal is to infect systems, collect information to help triage interesting targets, and deploy additional payloads. Once a system is infected, the malware collects information and sends it to the attacker’s command and control (C2)
Silence Group is a threat actor group which is attributed to this malware.Group-IB has linked the group with Russia’s EvilCorp (Indrik Spider) due to the downloaders they use being similar.
The attack chain commences with a drive-by-download from Chrome for the executable ‘update.exe’. The threat actors attempt to trick users into downloading and executing the above executable masquerading it as a software update.
Once executed the above file, it connected to 94[.]142.138.61, which is a Russian IP address that is known to be attributed to TrueBot. Then a second-stage executable ‘3ujwy2rz7v.exe’ was downloaded and executed via cmd.exe, then it connected to the C2 domain ‘dremmfyttrred[.]com’.
Carlisle said. “Once an organization is infected with this malware, it can quickly escalate and become a larger infection, similar to how ransomware spreads through a network.”
Indicators of Compromise
- Locations: Russia, Panama