{ "id": "fd5a6ada-30ba-4903-9830-ecd4f4d29955", "created_at": "2026-04-06T00:10:46.754445Z", "updated_at": "2026-04-10T03:35:29.116233Z", "deleted_at": null, "sha1_hash": "4d1e43384eb54a1c4c4e973ad2a494ea01b0c00a", "title": "Carbon Black’s TrueBot Detection", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 777127, "plain_text": "Carbon Black’s TrueBot Detection\r\nBy Fae Carlisle\r\nPublished: 2023-06-01 · Archived: 2026-04-05 23:44:17 UTC\r\nVMware’s Carbon Black Managed Detection and Response (MDR) team began seeing a surge of TrueBot activity\r\nin May 2023. TrueBot, otherwise known as Silence.Downloader has been seen since at least 2017. TrueBot is\r\nunder active development by Silence, with recent versions using a Netwrix vulnerability for delivery. In this\r\narticle, we will break down what we have seen in customers’ environments and how Carbon Black MDR detects\r\nand responds to the threat.\r\nHistory\r\nJust as its name suggests, TrueBot is a downloader trojan botnet that uses command and control servers to collect\r\ninformation on compromised systems and uses that compromised system as a launching point for further attacks,\r\nas seen recently with Clop Ransomware.\r\nTrueBot was known for using malicious emails to drop their malware but was recently seen using a Netwrix\r\nvulnerability as their delivery method. VMware’s MDR team has seen this vulnerability used firsthand in\r\ncustomer environments, as explored below. TrueBot is also using Raspberry Robin (a worm) as a delivery vector.\r\nWhile Silence Group is known for targeting banks and financial institutions, TrueBot has also been seen targeting\r\nthe education sector. In the Carbon Black Detection \u0026 Notable Attacks section, we break down the sectors that we\r\nhave seen targeted from our platform.\r\nAttribution\r\nThough a threat actor group called Silence Group is attributed to this malware, Group-IB has linked the group\r\nwith Russia’s EvilCorp (Indrik Spider) due to the downloaders they use being similar. The MDR team has\r\nexplored this link and has not found substantial evidence to back this claim.\r\nResearchers thought EvilCorp to be linked to TrueBot due to TrueBot dropping FlawedGrace. FlawedGrace is\r\nmalware that is attributed to EvilCorp. Though TrueBot drops this payload, the malware operators could purchase\r\naccess to this tool directly from EvilCorp. Another link explored was TrueBot dropping Clop Ransomware, which\r\nwas previously used by EvilCorp. However, Clop is ransomware-as-a-service, so anyone can purchase access to\r\nthis tool. Lastly, Silence is a Russian-speaking cybercriminal group that uses Russian web hosting services.\r\nThough EvilCorp is also Russian, this is not strong evidence to link the two, as there are dozens of Russian APTs.\r\nDue to these findings, we cannot say for sure whether EvilCorp and TrueBot are connected.\r\nCarbon Black is very effective at detecting TrueBot and its associated activity. This section will focus on what\r\nCarbon Black detected and the visibility into the attack process.\r\nhttps://blogs.vmware.com/security/2023/06/carbon-blacks-truebot-detection.html\r\nPage 1 of 3\n\nFigure 1.1 Process Chain\r\nThe infection appeared to have started with a drive-by-download from Chrome for the executable ‘update.exe’.\r\nFigure 1.2 Update.exe being downloaded\r\nA user had to click on this in order to execute the malware. Upon execution, the malware immediately begins to\r\nlook for EDR and antivirus software.\r\nFigure 1.3 Looking for EDR/AV\r\nOnce executed, it connected to 94[.]142.138.61IP, which is a Russian IP address that is known to be attributed to\r\nTrueBot. At the address, the executable ‘3ujwy2rz7v.exe’ was downloaded and then launched by cmd.exe.\r\nhttps://blogs.vmware.com/security/2023/06/carbon-blacks-truebot-detection.html\r\nPage 2 of 3\n\nFigure 1.4 3ujwy2rz7v.exe activity\r\nThe executable then connected to the C2 domain name ‘dremmfyttrred[.]com’.\r\nThe activity thereafter included dumps of LSASS, exfiltration of data, and system and process enumerations.\r\nManaged Detection and Response stops this activity through first the detection of the activity and then the\r\nimplementation of system quarantines, hash banning, policy reviews, and policy modifications. Customers are\r\ninformed of the observed activity and actions taken by the team every step of the way.\r\nIndicators of Compromise\r\n45.182.189[.]103\r\nDremmfyttrred.com\r\n94.142.138[.]61\r\nLocations: Russia, Panama\r\nUpdate.exe\r\nDocument_26_apr_2443807.exe\r\nfe746402c74ac329231ae1b5dffa8229b509f4c15a0f5085617f14f0c1579040\r\n172.64.155[.]188\r\n104.18.32[.]68\r\n3ujwy2rz7v.exe\r\nSummary\r\nTrueBot can be a particularly nasty infection for any network. When an organization is infected with this malware,\r\nit can quickly escalate to become a bigger infection, similar to how ransomware spreads throughout a network.\r\nCarbon Black is able to quickly detect TrueBot and its associated activity and, with the help of MDR, be able to\r\ndetect and contain it early in the attack chain before the threat escalates.\r\nSource: https://blogs.vmware.com/security/2023/06/carbon-blacks-truebot-detection.html\r\nhttps://blogs.vmware.com/security/2023/06/carbon-blacks-truebot-detection.html\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blogs.vmware.com/security/2023/06/carbon-blacks-truebot-detection.html" ], "report_names": [ "carbon-blacks-truebot-detection.html" ], "threat_actors": [ { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "e8ebcbda-e8df-4a38-a2a6-63b2608ee6f3", "created_at": "2023-01-06T13:46:38.88051Z", "updated_at": "2026-04-10T02:00:03.131218Z", "deleted_at": null, "main_name": "Silence group", "aliases": [ "WHISPER SPIDER" ], "source_name": "MISPGALAXY:Silence group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d706edf6-cb86-4611-99e1-4b464e9dc5b9", "created_at": "2023-01-06T13:46:38.839083Z", "updated_at": "2026-04-10T02:00:03.117987Z", "deleted_at": null, "main_name": "INDRIK SPIDER", "aliases": [ "Manatee Tempest" ], "source_name": "MISPGALAXY:INDRIK SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434246, "ts_updated_at": 1775792129, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4d1e43384eb54a1c4c4e973ad2a494ea01b0c00a.pdf", "text": "https://archive.orkl.eu/4d1e43384eb54a1c4c4e973ad2a494ea01b0c00a.txt", "img": "https://archive.orkl.eu/4d1e43384eb54a1c4c4e973ad2a494ea01b0c00a.jpg" } }