Alarming Surge in TrueBot Activity Revealed with New Delivery Vectors

Alarming Surge in TrueBot Activity Revealed with New Delivery Vectors

TrueBot downloader trojan botnet activity has increased significantly in the past month, researchers say.

What is TrueBot?

Truebot is a downloader malware. As such, its main goal is to infect systems, collect information to help triage interesting targets, and deploy additional payloads. Once a system is infected, the malware collects information and sends it to the attacker’s command and control (C2)

Silence Group is a threat actor group which is attributed to this malware.Group-IB has linked the group with Russia’s EvilCorp (Indrik Spider) due to the downloaders they use being similar.

The attack chain commences with a drive-by-download from Chrome for the executable ‘update.exe’. The threat actors attempt to trick users into downloading and executing the above executable masquerading it as a software update.

Once executed the above file, it connected to 94[.]142.138.61, which is a Russian IP address that is known to be attributed to TrueBot. Then a second-stage executable ‘3ujwy2rz7v.exe’ was downloaded and executed via cmd.exe, then it connected to the C2 domain ‘dremmfyttrred[.]com’.

Carlisle said. “Once an organization is infected with this malware, it can quickly escalate and become a larger infection, similar to how ransomware spreads through a network.”

Indicators of Compromise

  • 45.182.189[.]103
  • 94.142.138[.]61
  • Locations: Russia, Panama
  • Update.exe
  • Document_26_apr_2443807.exe
  • fe746402c74ac329231ae1b5dffa8229b509f4c15a0f5085617f14f0c1579040
  • 172.64.155[.]188
  • 104.18.32[.]68
  • 3ujwy2rz7v.exe

‍Follow Us on: Twitter, InstagramFacebook to get the latest security news!

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!