‘Truebot’ Malware Exposed Security Software in Canada, U.S.

netwrix malware

Networks based in the United States and Canada are being increasingly targeted by Truebot, a malicious botnet, according to an alert from the Canadian Centre for Cyber Security (CCCS) last week.

The advisory, dated July 6, 2023, was issued in collaboration with cybersecurity partners from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC).

Truebot is a botnet deployed by cybercriminal groups to extract sensitive data from victims for financial gains. Initially, the malware was delivered through successful phishing campaigns, targeting enterprise security software from Netwrix, meant to protect client data. Talk about irony.

However, since May 31, 2023, a new attack vector, the remote code execution vulnerability CVE-2022-31199 found in the Netwrix Auditor application, has been exploited for initial access to deliver the Truebot malware. Netwrix is based in Frisco, Texas, and is urging all customers to upgrade their software. The company has over 13,000 organizations globally using its audit tool.

Analysts warn that cybercriminals are using a dual approach, combining traditional phishing campaigns with malicious redirect links and the exploitation of the CVE-2022-31199 vulnerability to spread new Truebot variants.

The joint advisory aims to raise awareness of the evolving Truebot threat. It contains an in-depth analysis of the malware, including indicators of compromise, tactics, techniques, procedures utilized by the threat actors, as well as detection methods and mitigation strategies.

Network administrators are encouraged to use the guidance provided in the advisory to hunt for malicious activity and reduce the likelihood and impact of future incidents. I guess it’s easy to break into the bank’s vault when you hack the security system, right?

P.S. - Like our news? Support the site: become a Patreon subscriber. Or shop with our Amazon link, or buy us a coffee! We use affiliate links when possible--thanks for supporting independent media.