Insights, news, education and announcements from PolySwarm

CVE-2022-31199 Used in Truebot Attacks

Written by The Hivemind | Jul 14, 2023 6:36:23 PM

Related Families: Cl0p

Executive Summary

New Truebot variants have been observed on victim machines that were compromised using CVE-2022-31199. The activity is targeting entities in the US and Canada.

Key Takeaways

  • New Truebot variants have been observed on victim machines that were compromised using CVE-2022-31199.
  • The activity is targeting entities in the US and Canada. 
  • The threat actors have been using CVE-2022-31199 since at least May 2023. 
  • The CISA advisory recommends using known IOCs to hunt for malicious activity on potentially affected networks and applying vendor patches to prevent exploitation.

What is Truebot?

CISA director Jen Easterly recently tweeted about an onslaught of Truebot attacks leveraging CVE-2022-31199 to target entities in the US and Canada. Easterly’s tweet pointed to a joint advisory published by CISA, warning of the recent Truebot activity.

In this campaign, new Truebot variants are being deployed on victim machines that were compromised using CVE-2022-31199. CVE-2022-31199 is a critical remote execution vulnerability in Netwrix Auditor software. The vulnerability allows threat actors to execute malicious code with SYSTEM user privileges. The threat actors have been using CVE-2022-31199 since at least May 2023.

Truebot, also known as Silence.Downloader, is a downloader associated with the Silence cybercrime group and TA505. It is often used by threat actors to steal sensitive information that can be used for extortion purposes. TA505 was observed using Truebot in conjunction with deploying Cl0p ransomware since at least late 2022. Following the installation of Truebot, the threat actors used FlawedGrace RAT to escalate privileges and maintain persistence. They also deployed a Cobalt Strike beacon to use for follow on activity.

The CISA advisory recommends using known IOCs to hunt for malicious activity on potentially affected networks and applying vendor patches to prevent exploitation. They also urge those discovering evidence of this activity on their networks to report the activity to CISA or the FBI.

IOCs

PolySwarm has multiple samples of Truebot.

 

C042ad2947caf4449295a51f9d640d722b5a6ec6957523ebf68cddb87ef3545c

Ff8c8c8bfba5f2ba2f8003255949678df209dbff95e16f2f3c338cfa0fd1b885

A8569c78af187d603eecdc5faec860458919349eef51091893b705f466340ecd

717beedcd2431785a0f59d194e47970e9544fbf398d462a305f6ad9a1b1100cb

 

You can use the following CLI command to search for all Truebot samples in our portal:

$ polyswarm link list -f Truebot

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports