TrueBot malware partners Clop with ransomware to allow access to network networks

Researchers have observed a rise in malware-infected devices with TrueBot, a Russian hacking group called Silence.

Silence is well-known for big heists on financial institutions. They have begun to move away from phishing, which was the initial vector of compromise.

Teleport is a brand new tool for data exfiltration that the threat actor uses. Analysing Silence’s actions over the last months showed that they delivered Clop ransomware who are also associated with the FIN11 group.

Falbot infections

To fetch shellcode and Cobalt Strike beacons from the globe, Silence hackers placed their malware on over 1,500 systems to retrieve the Grace malware, Cobalt Strike beacons, Cobalt Strike beacons, Cobalt Strike exfiltration tools, and Clop ransomware.

Cisco Talos researchers analysed the new campaigns and discovered multiple attack vectors that had been used since August 2022.

After exploiting the critical vulnerability of Netwrix Auditor servers, , hackers were able to infect systems with Truebot.

The gang began using USB drives in October 2022 to infect their computers with Raspberry Robin Worm. They often received IcedID and Bumblebee payloads.

Microsoft October report has found that the worm was linked to the distribution of Clop ransomware. They track the threat actor as DEV-0950. Their malicious activity overlaps closely with that of FIN11 (known for ).

Cisco Talos reports that Truebot’s gang infected more than 1000 hosts using Raspberry Robin, most of which are not available over the internet, mostly in Mexico, Brazil and Pakistan.

The hackers attacked Windows servers in November. They exposed RDP and SMB services to the public internet. Researchers found more than 500 infected computers, with 75% being from the United States.

Truebot, a module in its first stage, can gather basic information and capture screenshots. The threat actor can also use Active Directory trust relations information to infiltrate it.

Truebot can be instructed by the command and control server (C2) to load shellcode and DLLs into memory, run additional modules, uninstall itself or download EXEs and BATs.

Teleport Data Exfiltration Tool

The hackers then use Truebot to drop Cobalt Strike beacons and the Grace malware (FlawedGrace or GraceWire) in the post-compromise period. This has been .

The intruders then deploy Teleport which Cisco calls a unique custom tool in C++, that allows hackers to steal data.

Teleport’s communication with the C2 server via Teleport is protected by encryption. Operators can restrict upload speeds, limit file size, and delete payloads. This is done to minimize the impact on victim machines.

Teleport offers the ability to access OneDrive folders and collect victim’s Outlook email addresses. It also allows you to target file extensions.

Sometimes, attackers use Clop ransomware to move laterally through as many systems as they can with Cobalt Strike.

The .

Silence gang activity

Since 2016, Silence/Truebot GroupIB. The hackers robbed a bank, but they failed to take any money due to an issue with a payments order.

To learn more about the process of money transfers, the attacker targeted the exact same target and began to take screenshots and stream video from infected systems.

According to Group-IB, they committed their first successful robbery in 2017. They attacked ATMs and stole more than $100,000 that night.

They continued to attack Silence and stole $4.2 million in just three years from 2016 through 2019 from banks throughout the former Soviet Union and Europe.

Researchers at Group-IB describe Silence hackers to be highly skilled. They are able to alter malware for their purposes or to adapt the assembly instructions to exploits used by Fancy Bear, a nation-state group. These hackers are also capable of creating their own tools.

Initially, only Russian organizations were targeted by the attackers. However Silence has expanded their global reach over the years.