TrueBot malware is used to access networks by Clop ransomware

Researchers have observed a rise in malware-infected devices with TrueBot, a Russian hacker group called Silence.

Silence is well-known for big heists on financial institutions. They have begun to move away from phishing, which was the initial vector of compromise.

Teleport is a brand new tool for data exfiltration that the threat actor uses. Analysing Silence’s actions over the last months showed that they delivered Clop ransomware who are also associated with the FIN11 group.

Falbot infections

To fetch shellcode and Cobalt Strike beacons from the globe, Silence hackers placed their malware on over 1,500 systems to retrieve the Grace malware, Cobalt Strike beacons, Cobalt Strike beacons, Cobalt Strike exfiltration tools, and Clop ransomware.

Cisco Talos researchers analysed the new campaigns and discovered multiple attack vectors that had been used since August 2022.

After exploiting the critical vulnerability of Netwrix Auditor servers, , hackers were able to infect systems with Truebot.

The gang began using USB drives in October 2022 to infect their computers with Raspberry Robin Worm. They often received IcedID and Bumblebee payloads.

Microsoft October report has found that the worm was linked to the distribution of Clop ransomware. They track the threat actor as DEV-0950. Their malicious activity overlaps closely with that of FIN11 (known for ).

Cisco Talos reports that Truebot’s gang infected more than 1000 hosts using Raspberry Robin, most of which are not available over the internet, mostly in Mexico, Brazil and Pakistan.

The hackers attacked Windows servers in November. They exposed RDP and SMB services to the public internet. Researchers found more than 500 infected computers, with 75% being from the United States.

The two Truebot botnets discovered by Cisco Talos

Truebot, a module in its first stage, can gather basic information and capture screenshots. The threat actor can also use Active Directory trust relations information to infiltrate it.

Truebot can be instructed by the command and control server (C2) to load shellcode and DLLs into memory, run additional modules, uninstall itself or download EXEs and BATs.

Truebot functional diagram

(Cisco Talos)

Teleport Data Exfiltration Tool

The hackers then use Truebot to drop Cobalt Strike beacons and the Grace malware (FlawedGrace or GraceWire) in the post-compromise period. This has been .

The intruders then deploy Teleport which Cisco calls a unique custom tool in C++, that allows hackers to steal data.

Teleport’s communication with the C2 server via Teleport is protected by encryption. Operators can restrict upload speeds, limit file size, and delete payloads. This is done to minimize the impact on victim machines.

Teleport tool modes

(Cisco Talos)

Teleport offers the ability to access OneDrive folders and collect victim’s Outlook email addresses. It also allows you to target file extensions.

Sometimes, attackers use Clop ransomware to move laterally through as many systems as they can with Cobalt Strike.

Post-infection activity leading to Clop deployment

(Cisco Talos)

“During the exploration phase, attackers searched key server and desktop files systems and connected to SQL databases. They also collected data that was then exfiltrated via the Teleport tool to an attacker controlled server,” .

Once enough data was collected, attackers set up scheduled tasks to run the Clop ransomware on many systems simultaneously and encrypt as much data as possible.

Silence gang activity

Since 2016, Silence/Truebot GroupIB. The hackers robbed a bank, but they failed to take any money due to an issue with a payments order.

To learn more about the process of money transfers, the attacker targeted the exact same target and began to take screenshots and stream video from infected systems.

According to Group-IB, they committed their first successful robbery in 2017. They attacked ATMs and stole more than $100,000 that night.

They continued to attack Silence and stole $4.2 million in just three years from 2016 through 2019 from banks throughout the former Soviet Union and Europe.

Silence/Truebot activity June 2016 – July 2019

source: Group-IB

Researchers at Group-IB describe Silence hackers to be highly skilled. They are able to alter malware for their purposes or to adapt the assembly instructions to exploits used by Fancy Bear, a nation-state group. These hackers are also capable of creating their own tools.

Initially, only Russian organizations were targeted by the attackers. However Silence has expanded their global reach over the years.