AdvisoriesCISAAA23-187AJuly 6, 2023
July 6, 2023
This joint advisory by CISA, FBI, MS-ISAC, and CCCS addresses the emergence of new Truebot malware variants targeting organizations in the US and Canada. Truebot, also known as Silence.Downloader, is a botnet used by malicious groups like CL0P Ransomware Gang to steal information from victims. Previously, Truebot was spread through phishing emails, but the newer versions exploit a vulnerability (CVE-2022-31199) in Netwrix Auditor to gain access and deploy the malware on a larger scale. Threat actors now use both phishing campaigns with malicious links and CVE-2022-31199 to distribute these new Truebot variants.
July 6, 2023
This advisory focuses on a specific vulnerability, CVE-2022-31199, which should be patched if the underlying software (Netwrix Auditor) is being used. However, the vulnerability is simply a means to deploy malware known as Truebot. What is unique about this particular malware is the approach it takes to evade endpoint defenses. Most defenses will scan new files as they appear on disk, looking for malicious signatures. Truebot attempts to exhaust the scanning process by hiding itself within a one gigabyte junk file. When it downloads to the computer, the large file size may be skipped or partially scanned by the EDR.
Be immediately notified of new advisories and associated security tests
AdvisoryCISAAA24-207AJuly 25, 2024
