{ "id": "a42c3916-f483-410a-9b57-384439d6ce17", "created_at": "2026-04-06T00:13:08.153808Z", "updated_at": "2026-04-10T13:12:07.437959Z", "deleted_at": null, "sha1_hash": "4e9c77e4b8991049e79ba75ed041673e8503157b", "title": "Increased Truebot Activity Infects U.S. and Canada Based Networks | CISA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 275376, "plain_text": "Increased Truebot Activity Infects U.S. and Canada Based Networks |\r\nCISA\r\nPublished: 2023-07-06 · Archived: 2026-04-05 18:30:46 UTC\r\nSUMMARY\r\nThe Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Multi-State\r\nInformation Sharing and Analysis Center (MS-ISAC), and the Canadian Centre for Cyber Security (CCCS) are releasing this\r\njoint Cybersecurity Advisory (CSA) in response to cyber threat actors leveraging newly identified Truebot malware variants\r\nagainst organizations in the United States and Canada. As recently as May 31, 2023, the authoring organizations have\r\nobserved an increase in cyber threat actors using new malware variants of Truebot (also known as Silence.Downloader ).\r\nTruebot is a botnet that has been used by malicious cyber groups like CL0P Ransomware Gang to collect and exfiltrate\r\ninformation from its target victims.\r\nPrevious Truebot malware variants were primarily delivered by cyber threat actors via malicious phishing email\r\nattachments; however, newer versions allow cyber threat actors to also gain initial access through exploiting CVE-2022-\r\n31199—(a remote code execution vulnerability in the Netwrix Auditor application), enabling deployment of the malware at\r\nscale within the compromised environment. Based on confirmation from open-source reporting and analytical findings of\r\nTruebot variants, the authoring organizations assess cyber threat actors are leveraging both phishing campaigns with\r\nmalicious redirect hyperlinks and CVE-2022-31199 to deliver new Truebot malware variants.\r\nThe authoring organizations recommend hunting for the malicious activity using the guidance outlined in this CSA, as well\r\nas applying vendor patches to Netwrix Auditor (version 10.5—see Mitigations section below).[1 ] Any organization\r\nidentifying indicators of compromise (IOCs) within their environment should urgently apply the incident responses and\r\nmitigation measures detailed in this CSA and report the intrusion to CISA or the FBI.\r\nDownload the PDF version of this report:\r\nRead the associated Malware Analysis Report MAR-10445155-1.v1 Truebot Activity Infects U.S. and Canada Based\r\nNetworks or download the PDF version below:\r\nFor a downloadable copy of IOCs in .xml and .json format, see:\r\nTECHNICAL DETAILS\r\nNote: This advisory uses the MITRE ATT\u0026CK® for Enterprise framework, version 13. See the MITRE ATT\u0026CK Tactics\r\nand Techniques section below for cyber threat actors’ activity mapped to MITRE ATT\u0026CK tactics and techniques.\r\nInitial Access and Execution\r\nIn recent months, open source reporting has detailed an increase in Truebot malware infections, particularly cyber threat\r\nactors using new tactics, techniques, and procedures (TTPs), and delivery methods.[2 ] Based on the nature of observed\r\nTruebot operations, the primary objective of a Truebot infection is to exfiltrate sensitive data from the compromised host(s)\r\nfor financial gain [TA0010 ].\r\nPhishing:\r\nCyber threat actors have historically used malicious phishing emails as the primary delivery method of\r\nTruebot malware, which tricks recipients into clicking a hyperlink to execute malware. Cyber threat actors\r\nhave further been observed concealing email attachments (executables) as software update notifications\r\n[T1189 ] that appear to be legitimate [T1204.002 ], [T1566.002 ]. Following interaction with the\r\nexecutable, users will be redirected to a malicious web domain where script files are then executed. Note:\r\nTruebot malware can be hidden within various, legitimate file formats that are used for malicious purposes\r\n[T1036.008 ].[3 ]\r\nExploitation of CVE-2022-31199:\r\nThough phishing remains a prominent delivery method, cyber threat actors have shifted tactics, exploiting, in\r\nobservable manner, a remote code execution vulnerability (CVE-2022-31199) in Netwrix Auditor [T1190 ]\r\n—software used for on-premises and cloud-based IT system auditing. Through exploitation of this CVE,\r\ncyber threat actors gain initial access, as well as the ability to move laterally within the compromised network\r\n[T1210 ].\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-187a\r\nPage 1 of 14\n\nFigure 1: CVE-2022-31199 Delivery Method for Truebot\r\nFollowing the successful download of the malicous file, Truebot renames itself and then loads FlawedGrace onto the host.\r\nPlease see the FlawedGrace section below for more information on how this remote access tool (RAT) is used in Truebot\r\noperations.\r\nAfter deployment by Truebot, FlawedGrace is able to modify registry [T1112 ] and print spooler programs [T1547.012\r\n] that control the order that documents are loaded to a print queue. FlawedGrace manipulates these features to both\r\nescalate privilege and establish persistence.\r\nDuring FlawedGrace’s execution phase, the RAT stores encrypted payloads [T1027.009 ] within the registry. The tool can\r\ncreate scheduled tasks and inject payloads into msiexec[.]exe and svchost[.]exe , which are command processes that\r\nenable FlawedGrace to establish a command and control (C2) connection to 92.118.36[.]199 , for example, as well as load\r\ndynamic link libraries (DLLs) [T1055.001 ] to accomplish privilege escalation.\r\nSeveral hours post initial access, Truebot has been observed injecting Cobalt Strike beacons into memory [T1055 ] in a\r\ndormant mode for the first few hours prior to initiating additional operations. Please see the Cobalt Strike section below for\r\nmore information on how this remote access tool (RAT) is used in Truebot operations.\r\nDiscovery and Defense Evasion\r\nDuring the first stage of Truebot’s execution process, it checks the current version of the operating system (OS) with\r\nRtlGetVersion and processor architecture using GetNativeSystemInfo [T1082 ].[4] Note: This variant of Truebot\r\nmalware is designed with over one gigabyte (GB) of junk code which functions to hinder detection and analysis efforts\r\n[T1027.001 ].\r\nFollowing the initial checks for system information, Truebot has the capability to enumerate all running processes [T1057\r\n], collect sensitive local host data [T1005 ], and send this data to an encoded data string described below for second-stage\r\nexecution. Based on IOCs in table 1, Truebot also has the ability to discover software security protocols and system time\r\nmetrics, which aids in defense evasion, as well as enables synchronization with the compromised system’s internal clock to\r\nfacilitate scheduling tasks [T1518.001 ][T1124 ].\r\nNext, it uses a .JSONIP extension, (e.g., IgtyXEQuCEvAM.JSONIP ), to create a thirteen character globally unique identifier\r\n(GUID)—a 128-bit text string that Truebot uses to label and organize the data it collects [T1036 ].\r\nAfter creating the GUID, Truebot compiles and enumerates running process data into either a base64 or unique hexadecimal\r\nencoded string [T1027.001 ]. Truebot’s main goal is identifying the presence of security debugger tools. However, the\r\npresence of identified debugger tools does not change Truebot’s execution process—the data is compiled into a base64\r\nencoded string for tracking and defense evasion purposes [T1082 ][T1622 ].\r\nData Collection and Exfiltration\r\nFollowing Truebot’s enumeration of running processes and tools, the affected system’s computer and domain name [T1082\r\n][T1016 ], along with the newly generated GUID, are sent to a hard-coded URL in a POST request (as observed in the\r\nuser-agent string). Note: A user-agent string is a customized HTTP request that includes specific device information required\r\nfor interaction with web content. In this instance, cyber threat actors can redirect victims to malicious domains and further\r\nestablish a C2 connection.\r\nThe POST request functions as means for establishing a C2 connection for bi-lateral communication. With this established\r\nconnection, Truebot uses a second obfuscated domain to receive additional payloads [T1105 ], self-replicate across the\r\nenvironment [T1570 ], and/or delete files used in its operations [T1070.004 ]. Truebot malware has the capability to\r\ndownload additional malicious modules [T1105 ], load shell code [T1620 ], and deploy various tools to stealthily\r\nnavigate an infected network.\r\nAssociated Delivery Vectors and Tools\r\nTruebot has been observed in association with the following delivery vectors and tools:\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-187a\r\nPage 2 of 14\n\nRaspberry Robin (Malware)\r\nRaspberry Robin is a wormable malware with links to other malware families and various infection methods, including\r\ninstallation via USB drive [T1091 ].[5 ] Raspberry Robin has evolved into one of the largest malware distribution\r\nplatforms and has been observed deploying Truebot, as well as other post-compromise payloads such as IcedID and\r\nBumblebee malware.[6 ] With the recent shift in Truebot delivery methods from malicious emails to the exploitation of\r\nCVE-2022-31199, a large number of Raspberry Robin infections have leveraged this exploitable CVE.[2 ]\r\nFlawed Grace (Malware)\r\nFlawedGrace is a remote access tool (RAT) that can receive incoming commands [T1059 ] from a C2 server sent over a\r\ncustom binary protocol [T1095 ] using port 443 to deploy additional tools [T1105 ].[7 ] Truebot malware has been\r\nobserved leveraging (and dropping) FlawedGrace via phishing campaigns as an additional payload [T1566.002 ].[8 ]\r\nNote: FlawedGrace is typically deployed minutes after Truebot malware is executed.\r\nCobalt Strike (Tool)\r\nCobalt Strike is a popular remote access tool (RAT) that cyber threat actors have leveraged—in an observable manner—for a\r\nvariety of post-exploitation means. Typically a few hours after Truebot’s execution phase, cyber threat actors have been\r\nobserved deploying additional payloads containing Cobalt Strike beacons for persistence and data exfiltration purposes\r\n[T1059 ].[2 ] Cyber threat actors use Cobalt Strike to move laterally via remote service session hijacking [T1563.001 ]\r\n[T1563.002 ], collecting valid credentials through LSASS memory credential dumping, or creating local admin accounts\r\nto achieve pass the hash alternate authentication [T1003.001 ][T1550.002 ].\r\nTeleport (Tool)\r\nCyber threat actors have been observed using a custom data exfiltration tool, which Talos has named “Teleport.”[2 ]\r\nTeleport is known to evade detection during data exfiltration by using an encryption key hardcoded in the binary and a\r\ncustom communication protocol [T1095 ] that encrypts data using advanced encryption standard (AES) and a hardcoded\r\nkey [T1048 ][T1573.002 ]. Furthermore, to maintain its stealth, Teleport limits the data it collects and syncs with\r\noutbound organizational data/network traffic [T1029 ][T1030 ].\r\nTruebot Malware Indicators of Compromise (IOCs)\r\nTruebot IOCs from May 31, 2023, contain IOCs from cyber threat actors conducting Truebot malspam campaigns.\r\nInformation is derived from a trusted third party, they observed cyber threat actors from 193.3.19[.]173 (Russia) using a\r\ncompromised local account to conduct phishing campaigns on May 23, 2023 and spread malware through:\r\nhttps[:]//snowboardspecs[.]com/nae9v , which then promptly redirects the user to:\r\nhttps://www.meditimespharma[.]com/gfghthq/ , which a trusted third party has linked to other trending Truebot activity.\r\nAfter redirecting to https://www.meditimespharma[.]com/gfghthq/ , trusted third parties have observed, the cyber threat\r\nactors using Truebot to pivot to https://corporacionhardsoft[.]com/images/2/Document_16654.exe , which is a domain\r\nassociated with snowboardspecs[.]com . This malicious domain has been linked to UNC4509, a threat cluster that has been\r\nknown to use traffic distribution systems (TDS) to redirect users to either a benign or malicious website to facilitate their\r\nmalicious phishing campaigns in May 2023.\r\nAccording to trusted third parties, the MD5 Hash: 6164e9d297d29aa8682971259da06848 is downloaded from\r\nhttps://corporacionhardsoft.com/images/2/Document_16654[.]exe , and has been flagged by numerous security vendors,\r\nas well as is linked to UNC4509 Truebot campaigns. Note: These IOCs are associated with Truebot campaigns used by\r\nGraceful Spider to deliver FlawedGrace and LummaStealer payloads in May of 2023.\r\nAfter Truebot is downloaded, the malware copies itself to C:\\Intel\\RuntimeBroker.exe and—based on trusted third party\r\nanalysis—links to https://essadonio.com/538332[.]php (which is linked to 45.182.189[.]71 (Panama) and is\r\nassociated with other trending Truebot malware campaigns from May 2023).\r\nPlease reference table 1 for IOCs described in the paragraph above.\r\nTable 1: Truebot IOCs from\r\nMay of 2023\r\n   \r\nIndicator Type Indicator Source\r\nRegistrant GKG[.]NET Domain Proxy Service Administrator\r\nTrusted Third\r\nParty\r\nCompromised Account Created: 2022-04-10\r\nTrusted Third\r\nParty\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-187a\r\nPage 3 of 14\n\nTable 1: Truebot IOCs from\r\nMay of 2023\r\n   \r\nMalicious account created 1999-11-09\r\nTrusted Third\r\nParty\r\nIP 193.3.19[.]173 (Russia)\r\nTrusted Third\r\nParty\r\nURL https://snowboardspecs[.]com/nae9v\r\nTrusted Third\r\nParty\r\nDomain https://corporacionhardsoft[.]com/images/2/Document_16654.exe\r\nTrusted Third\r\nParty\r\nFile Document_16654[.]exe\r\nTrusted Third\r\nParty\r\nMD5 Hash 6164e9d297d29aa8682971259da06848\r\nTrusted Third\r\nParty\r\nFile Document_may_24_16654[.]exe\r\nTrusted Third\r\nParty\r\nFile C:\\Intel\\RuntimeBroker[.]exe\r\nTrusted Third\r\nParty\r\nURL https://essadonio.com/538332[.]php\r\nTrusted Third\r\nParty\r\nIP 45.182.189[.]71 (Panama)\r\nTrusted Third\r\nParty\r\nAccount Created 2023-05-18\r\nTrusted Third\r\nParty\r\nTable 2:\r\nTruebot\r\nmalware\r\nIOCs\r\nfrom\r\nMay of\r\n2023\r\n   \r\nIndicator\r\nType\r\nIndicator Source\r\nFile\r\nName\r\nSecretsdump[.]py\r\nhttps://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/\r\nDomain Imsagentes[.]pe\r\nhttps://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/\r\nURL https://imsagentes[.]pe/dgrjfj/\r\nhttps://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/\r\nURL https://imsagentes[.]pe/dgrjfj\r\nhttps://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/\r\nURL https://hrcbishtek[.]com/{5\r\nhttps://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/\r\nURL https://ecorfan.org/base/sj/document_may_24_16654[.]exe\r\nhttps://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/\r\nDomain Hrcbishtek[.]com\r\nhttps://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/\r\nMD5\r\nHash\r\nF33734DFBBFF29F68BCDE052E523C287\r\nhttps://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-187a\r\nPage 4 of 14\n\nTable 2:\r\nTruebot\r\nmalware\r\nIOCs\r\nfrom\r\nMay of\r\n2023\r\n   \r\nMD5\r\nHash\r\nF176BA63B4D68E576B5BA345BEC2C7B7\r\nhttps://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/\r\nMD5\r\nHash\r\nF14F2862EE2DF5D0F63A88B60C8EEE56\r\nhttps://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/\r\nDomain Essadonio[.]com\r\nhttps://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/\r\nDomain Ecorfan[.]org\r\nhttps://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/\r\nSHA256\r\nHash\r\nC92C158D7C37FEA795114FA6491FE5F145AD2F8C08776B18AE79DB811E8E36A3\r\nhttps://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/\r\nFile\r\nName\r\nAtexec[.]py\r\nhttps://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/\r\nMD5\r\nHash\r\nA0E9F5D64349FB13191BC781F81F42E1\r\nhttps://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/\r\nIPv4 92.118.36[.]199\r\nhttps://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/\r\nIPv4 81.19.135[.]30\r\nhttps://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/\r\nMD5\r\nHash\r\n72A589DA586844D7F0818CE684948EEA\r\nhttps://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/\r\nSHA256\r\nHash\r\n717BEEDCD2431785A0F59D194E47970E9544FBF398D462A305F6AD9A1B1100CB\r\nhttps://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/\r\nIPv4 5.188.86[.]18\r\nhttps://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/\r\nIPv4 5.188.206[.]78\r\nhttps://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/\r\nIPv4 45.182.189[.]71\r\nhttps://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/\r\nIPv4 139.60.160[.]166\r\nhttps://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/\r\nSHA256\r\nHash\r\n121A1F64FFF22C4BFCEF3F11A23956ED403CDEB9BDB803F9C42763087BD6D94E\r\nhttps://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/\r\nTable 3: Truebot IOCs from May 2023\r\n(Malicious Domains, and Associated IP\r\naddresses and URLs)\r\n   \r\nMalicious Domain Associated IP(s) Beacon URL\r\nnitutdra[.]com 46.161.40[.]128  \r\nromidonionhhgtt[.]com 46.161.40.128  \r\nmidnigthwaall[.]com 46.161.40[.]128  \r\ndragonetzone[.]com 46.161.40[.]128 hxxps://dragonetzone[.]com/gate_info[.]php\r\nrprotecruuio[.]com 45.182.189[.]71  \r\nessadonio[.]com 45.182.189[.]71 hxxps://nomoresense[.]com/checkinfo[.]php\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-187a\r\nPage 5 of 14\n\nTable 3: Truebot IOCs from May 2023\r\n(Malicious Domains, and Associated IP\r\naddresses and URLs)\r\n   \r\nnomoresense[.]com 45.182.189[.]91 hxxps://nomoresense[.]com/checkinfo[.]php\r\nronoliffuion[.]com 45.182.189[.]120 hxxps://ronoliffuion[.]com/dns[.]php\r\nbluespiredice[.]com 45.182.189[.]119  \r\ndremmfyttrred[.]com 45.182.189[.]103 hxxps://dremmfyttrred[.]com/dns[.]php\r\nms-online-store[.]com 45.227.253[.]102  \r\nber6vjyb[.]com 92.118.36[.]252 hxxps://ber6vjyb[.]com/dns[.]php\r\njirostrogud[.]com 88.214.27[.]101 hxxps://ber6vjyb[.]com/dns[.]php\r\nfuanshizmo[.]com 45.182.189[.]229  \r\nqweastradoc[.]com 92.118.36[.]213 hxxp://nefosferta[.]com/gate[.]php\r\nqweastradoc[.]com 92.118.36[.]213 hxxp://nefosferta[.]com/gate[.]php\r\nqweastradoc[.]com 92.118.36[.]213 hxxp://nefosferta[.]com/gate[.]php\r\nhiperfdhaus[.]com 88.214.27[.]100 hxxp://nefosferta[.]com/gate[.]php\r\nguerdofest[.]com 45.182.189[.]228 hxxp://qweastradoc[.]com/gate[.]php\r\nnefosferta[.]com 179.60.150[.]139 hxxp://nefosferta[.]com/gate[.]php\r\nTable 4: Truebot IOCs\r\nfrom May 2023\r\nContinued (Malicious\r\nDomains and\r\nAssociated Hashes)\r\n     \r\n Malicious Domain MD5 SHA1 SHA256\r\nnitutdra[.]com      \r\nromidonionhhgtt[.]com      \r\nmidnigthwaall[.]com      \r\ndragonetzone[.]com 64b27d2a6a55768506a5658a31c045de c69f080180430ebf15f984be14fb4c76471cd476 e0178ab0893a4f25c68ded11\r\nrprotecruuio[.]com      \r\nessadonio[.]com 9a3bad7d8516216695887acc9668cda1 a89c097138e5aab1f35b9a03900600057d907690 4862618fcf15ba4ad15df35a8\r\nessadonio[.]com 6164e9d297d29aa8682971259da06848 96b95edc1a917912a3181d5105fd5bfad1344de0 717beedcd2431785a0f59d19\r\nnomoresense[.]com 8f924f3cbe5d8fe3ecb7293478901f1a 516051b4cab1be74d32a6c446eabac7fc354904f 6b646641c823414c2ee30ae8\r\nnomoresense[.]com ac6a2f1eafaae9f6598390d1017dd76c 1c637c2ded5d3a13fd9b56c35acf4443f308be52 f9f649cb5de27f720d58aa44a\r\nronoliffuion[.]com 881485ac77859cf5aaa8e0d64fbafc5f 51be660a3bdaab6843676e9d3b2af8444e88bbda 36d89f0455c95f9b00a8cea84\r\nbluespiredice[.]com      \r\ndremmfyttrred[.]com e4a42cbda39a20134d6edcf9f03c44ed afda13d5365b290f7cdea701d00d05b0c60916f8 47f962063b42de277cd8d225\r\ndremmfyttrred[.]com aa949d1a7ebe5f878023c6cfb446e29b 06057d773ad04fda177f6b0f6698ddaa47f7168a 594ade1fb42e93e64afc96f13\r\ndremmfyttrred[.]com 338476c2b0de4ee2f3e402f3495d0578 03916123864aa034f7ca3b9d45b2e39b5c91c502 a67df0a8b32bdc5f9d224db1\r\nms-online-store[.]com      \r\nber6vjyb[.]com 46fe07c07fd0f45ba45240ef9aae2a44 b918f97c7c6ebc9594de3c8f2d9d75ecc292d02b c0f8aeeb2d11c6e751ee87c40\r\njirostrogud[.]com 89c8afc5bbd34f160d8a2b7218b9ca4a 16ecf30ff8c7887037a17a3eaffcb17145b69160 5cc8c9f2c9cee543ebac30695\r\njirostrogud[.]com 5da364a8efab6370a174736705645a52 792623e143ddd49c36f6868e948febb0c9e19cd3 80b9c5ec798e7bbd71bbdfffa\r\nfuanshizmo[.]com      \r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-187a\r\nPage 6 of 14\n\nTable 4: Truebot IOCs\r\nfrom May 2023\r\nContinued (Malicious\r\nDomains and\r\nAssociated Hashes)\r\n     \r\nqweastradoc[.]com ee1ccb6a0e38bf95e44b73c3c46268c5 62f5a16d1ef20064dd78f5d934c84d474aca8bbe 0e3a14638456f4451fe8d76fd\r\nqweastradoc[.]com 82d4025b84cf569ec82d21918d641540 bb32c940f9ca06e7e8533b1d315545c3294ee1a0 c042ad2947caf4449295a51f9\r\nqweastradoc[.]com dbecfe9d5421d319534e0bfa5a6ac162 9e7a2464f53ce74d840eb84077472bc29fd1ba05 c9b874d54c18e895face055ee\r\nqweastradoc[.]com b7fed593e8eb3646f876367b56725e6c 44090a7858eceb28bc111e1edd2f0dc98047afb2 ff8c8c8bfba5f2ba2f80032559\r\nhiperfdhaus[.]com 8e2b823aac6c9e11fcabecb1d8c19adf 77ad34334a370d85ca5e77436ed99f18b185eee3 a30e1f87b78d1cd529fbe2afd\r\nhiperfdhaus[.]com 8a94163ddf956abd0ea92d89db0034e5 abc96032071adeb6217f0a5ba1aff55dc11f5438 b95a764820e918f42b664f3c9\r\nguerdofest[.]com 65fb9572171b903aa31a325f550d8778 d8bd44b7a8f136e29b31226f4edf566a4223266c d5bbcaa0c3eeea17f12a5cc3d\r\nnefosferta[.]com d9d85bdb6a3ac60a8ba6776c661dbace 78e38e522b1765efb15d0585e13c1f1301e90788 092910024190a2521f21658b\r\nnefosferta[.]com 20643549f19bed9a6853810262622755 c8227dcc1cd6ecc684de8c5ea9b16e3b35f613f1 1ef8cdbd3773bd82e5be25d4\r\nnefosferta[.]com e9299fc9b7daa0742c28bfc4b03b7b25 77360abc473dc65c8bdd73b6459b9ea8fddb6f1d 22e3f4602a258e92a0b8deb5\r\nnefosferta[.]com 775fb391db27e299af08933917a3acda eaaa5e68956a3a3f6113e965199f479e10ae9956 2d50b03a92445ba53ae147d0\r\nnefosferta[.]com f4045710c99d347fe6dfa2c0fcadde29 b7bffdbbaf817d149bbd061070a2d171449afbfc 32ae88cddeeeec255d6d9c82\r\nnefosferta[.]com 587acecdb9491e0897d1067eb02e7c8d a9eb1ac4b85d17da3a2bae5835c7e862d481c189 55d1480cd023b74f10692c68\r\nnefosferta[.]com 0bae65245e5423147fce079de29b6136 f24232330e6f428bfbb6b9d8154db1c4046c2fc2 6210a9f5a5e1dc27e68ecd61c\r\nnefosferta[.]com 5022a85b39a75ebe2bc0411d7b058b2e a9040ac0e9f482454e040e2a7d874ddc50e6f6ce 68a86858b4638b43d63e8e2a\r\nnefosferta[.]com 6a2f114a8995dbeb91f766ac2390086e edac3cf9533b6f7102f6324fadb437a0814cc680 72813522a065e106ac10aa96\r\nnefosferta[.]com e9115cc3280c16f9019e0054e059f4b8 dad01b0c745649c6c8b87dbeb7ab549ed039515d 7a64bc69b60e3cd3fd00d442\r\nnefosferta[.]com b54cc9a3dd88e478ea601dfd5b36805e 318fdfec4575d1530a41c80274aa8caae7b7f631 7c607eca4005ba6415e09135\r\nnefosferta[.]com f129c12b1bda7426f6b31682b42ee4b0 5bb804153029c97fe23517ae5428a591c3c63f28 7c79ec3f5c1a280ffdf19d000\r\nnefosferta[.]com f68aa4c92dd30bd5418f136aaf6c07d6 aa56f43e39d114235a6b1d5f66b593cc80325fa4 7e39dcd15307e7de862b9b42\r\nnefosferta[.]com acac995cee8a6a75fa79eb41bdffa53f 971a00a392b99f64a3886f40b6ef991e62f0fe2f 97bae3587f1d2fd35f24eb214\r\nnefosferta[.]com 36057710279d9f0d023cb5613aa76d5e e4dd1f8fc4e44c8fd0e25242d994c4b59eed6939 97d0844ce9928e32b11706e0\r\nnefosferta[.]com 37e6904d84153d1435407f4669135134 1dcd85f7364ea06cd595a86e3e9be48995d596e9 bf3c7f0ba324c96c9a9bff6cf2\r\nnefosferta[.]com 4f3916e7714f2a32402c9d0b328a2c91 87a692e3592f7b997c7d962919e243b665f2be36 c3743a8c944f5c9b17528418\r\nnefosferta[.]com d9daaa0df32b0bb01a09e500fc7f5881 f9cb839adba612db5884e1378474996b4436c0cd c3b3640ddf53b26f4ebd4eedf\r\nnefosferta[.]com c87fb9b9f6c343670bed605420583418 f05cf0b026b2716927dac8bcd26a2719ea328964 c6c4f690f0d15b96034b4258\r\nnefosferta[.]com 2be64efd0fa7739123b26e4b70e53c5c 318fdfec4575d1530a41c80274aa8caae7b7f631 ed38c454575879c2546e5fcca\r\nTable 5: Truebot\r\nIOCs Connected to\r\nRussia, and Panama\r\nLocations\r\n     \r\n Malicious Domain IP Addresses Files SHA256\r\nDremmfyttrred[.]com      \r\n  45.182.189[.]103    \r\n  94.142.138[.]61    \r\n  172.64.155[.]188    \r\n  104.18.32[.]68    \r\n    Update[.]exe  \r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-187a\r\nPage 7 of 14\n\nTable 5: Truebot\r\nIOCs Connected to\r\nRussia, and Panama\r\nLocations\r\n     \r\n    Document_26_apr_2443807[.]exe  \r\n    3ujwy2rz7v[.]exe  \r\n      fe746402c74ac329231ae1b5dffa8229b509f4c15a0f5085617f14f0c1\r\ndroogggdhfhf[.]com   3LXJyA6Gf[.]exe 7d75244449fb5c25d8f196a43a6eb9e453652b2185392376e7d44c21\r\nMITRE ATT\u0026CK TACTICS AND TECHNIQUES\r\nSee Tables 6-16 for all referenced cyber threat actor tactics and techniques for enterprise environments in this advisory. For\r\nassistance with mapping malicious cyber activity to the MITRE ATT\u0026CK framework, see CISA and MITRE ATT\u0026CK’s\r\nBest Practices for MITRE ATT\u0026CK Mapping and CISA’s Decider Tool .\r\nTable 6: Initial Access    \r\nTechnique Title ID Use\r\nReplication Through\r\nRemovable Media\r\nT1091\r\nCyber threat actors use removable media drives to deploy Raspberry Robin\r\nmalware.\r\nDrive-by Compromise T1189\r\nCyber threat actors embed malicious links or attachments within web\r\ndomains to gain initial access.\r\nExploit Public-Facing\r\nApplication\r\nT1190\r\nCyber threat actors are exploiting Netwrix vulnerability CVE-2022-31199 for\r\ninitial access with follow-on capabilities of lateral movement through remote\r\ncode execution.\r\nPhishing\r\nT1566.002\r\nTruebot actors can send spear phishing links to gain initial access.\r\nTable 7: Execution    \r\nTechnique Title ID Use\r\nCommand and\r\nScripting Interpreter\r\nT1059\r\nCyber threat actors have been observed dropping cobalt strike beacons as a\r\nreverse shell proxy to create persistence within the compromised network.\r\nCyber threat actors use FlawedGrace to receive PowerShell commands over a\r\nC2 channel to deploy additional tools.\r\nShared Modules T1129\r\nCyber threat actors can deploy malicious payloads through obfuscated share\r\nmodules.\r\nUser Execution:\r\nMalicious Link\r\nT1204.001 Cyber threat actors trick users into clicking a link by making them believe\r\nthey need to perform a Google Chrome software update.\r\nTable 8: Persistence    \r\nTechnique Title ID Use\r\nHijack Execution Flow: DLL\r\nSide-Loading\r\n1574.002 Cyber threat actors use Raspberry Robin, among other toolsets to side-load DLLs to maintain persistence.\r\nTable 9: Privilege Escalation    \r\nTechnique Title ID Use\r\nBoot or Logon Autostart Execution:\r\nPrint Processors\r\nT1547.012 FlawedGrace malware manipulates print spooler functions to\r\nachieve privilege escalation.\r\nTable 10: Defense Evasion    \r\nTechnique Title ID Use\r\nObfuscated Files or Information T1027\r\nTruebot uses a .JSONIP extension (e.g.,\r\nIgtyXEQuCEvAM.JSONIP), to create a GUID.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-187a\r\nPage 8 of 14\n\nTable 10: Defense Evasion    \r\nObfuscated Files or\r\nInformation: Binary Padding\r\nT1027.001 Cyber threat actors embed around one gigabyte of junk code within\r\nthe malware string to evade detection protocols.\r\nMasquerading: Masquerade File\r\nType\r\nT1036.008 Cyber threat actors hide Truebot malware as legitimate appearing\r\nfile formats.\r\nProcess Injection T1055\r\nTruebot malware has the ability to load shell code after establishing\r\na C2 connection.\r\nIndicator Removal: File\r\nDeletion\r\nT1070.004\r\nTruebot malware implements self-deletion TTPs throughout its\r\nattack cycle to evade detection.\r\nTeleport exfiltration tool deletes itself after it has completed\r\nexfiltrating data to the C2 station.\r\nModify Registry T1112\r\nFlawedGrace is able to modify registry programs that control the\r\norder that documents are loaded to a print que.\r\nReflective Code Loading T1620\r\nTruebot malware has the capability to load shell code and deploy\r\nvarious tools to stealthily navigate an infected network.\r\nTable 11: Credential Access    \r\nTechnique Title ID Use\r\nOS Credential Dumping:\r\nLSASS Memory\r\nT1003.001 Cyber threat actors use cobalt strike to gain valid credentials\r\nthrough LSASS memory dumping.\r\nTable 12: Discovery    \r\nTechnique Title ID Use\r\nSystem Network\r\nConfiguration Discovery\r\nT1016\r\nTruebot malware scans and enumerates the affected system’s domain\r\nnames.\r\nProcess Discovery T1057 Truebot malware enumerates all running processes on the local host.\r\nSystem Information\r\nDiscovery\r\nT1082\r\nTruebot malware scans and enumerates the OS version information, and\r\nprocessor architecture.\r\nTruebot malware enumerates the affected system’s computer names.\r\nSystem Time Discovery T1124\r\nTruebot has the ability to discover system time metrics, which aids in\r\nenables synchronization with the compromised system’s internal clock to\r\nfacilitate scheduling tasks.\r\nSoftware Discovery:\r\nSecurity Software\r\nDiscovery\r\nT1518.001 Truebot has the ability to discover software security protocols, which aids\r\nin defense evasion.\r\nDebugger Evasion T1622\r\nTruebot malware scans the compromised environment for debugger tools\r\nand enumerates them in effort to evade network defenses.\r\nTable 13: Lateral Movement    \r\nTechnique Title ID Use\r\nExploitation of Remote\r\nServices\r\nT1210\r\nCyber threat actors exploit CVE-2022-31199 Netwrix Auditor\r\nvulnerability and use its capabilities to move laterally within a\r\ncompromised network.\r\nUse Alternate Authentication\r\nMaterial: Pass the Hash\r\nT1550.002\r\nCyber threat actors use cobalt strike to authenticate valid accounts\r\nRemote Service Session\r\nHijacking\r\nT1563.001 Cyber threat actors use cobalt strike to hijack remote sessions using\r\nSSH and RDP hijacking methods.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-187a\r\nPage 9 of 14\n\nTable 13: Lateral Movement    \r\nRemote Service Session\r\nHijacking: RDP Hijacking\r\nT1563.002 Cyber threat actors use cobalt strike to hijack remote sessions using\r\nSSH and RDP hijacking methods.\r\nLateral Tool Transfer T1570\r\nCyber threat actors deploy additional payloads to transfer toolsets and\r\nmove laterally.\r\nTable 14:\r\nCollection\r\n   \r\nTechnique Title ID Use\r\nData from Local\r\nSystem\r\nT1005\r\nTruebot malware checks the current version of the OS and the processor architecture\r\nand compiles the information it receives.\r\nTruebot gathers and compiles compromised system’s host and domain names.\r\nScreen Capture\r\nT1113 Truebot malware takes snapshots of local host data, specifically processor architecture\r\ndata, and sends that to a phase 2 encoded data string.\r\nTable 15: Command and\r\nControl\r\n   \r\nTechnique Title ID Use\r\nApplication Layer Protocol T1071\r\nCyber threat actors use teleport exfiltration tool to blend exfiltrated\r\ndata with network traffic.\r\nNon-Application Protocol T1095\r\nCyber threat actors use Teleport and FlawedGrace to send data over\r\ncustom communication protocol.\r\nIngress Transfer Tool T1105\r\nCyber threat actors deploy various ingress transfer tool payloads to\r\nmove laterally and establish C2 connections.\r\nEncrypted Channel:\r\nAsymmetric Cryptography\r\nT1573.002 Cyber threat actors use Teleport to create an encrypted channel using\r\nAES.\r\nTable 16: Exfiltration    \r\nTechnique Title ID Use\r\nScheduled Transfer\r\nT1029 Teleport limits the data it collects and syncs with outbound organizational\r\ndata/network traffic.\r\nData Transfer Size Limits\r\nT1030 Teleport limits the data it collects and syncs with outbound organizational\r\ndata/network traffic.\r\nExfiltration Over C2\r\nChannel\r\nT1048\r\nCyber threat actors blend exfiltrated data with network traffic to evade\r\ndetection.\r\nCyber threat actors use the Teleport tool to exfiltrate data over a C2 protocol.\r\nDETECTION METHODS\r\nCISA and authoring organizations recommend that organizations review and implement the following detection signatures,\r\nalong with: Win/malicious_confidence100% (W) , Trojan:Win32/Tnega!MSR , and Trojan.Agent.Truebot.Gen , as well as\r\nYARA rules below to help detect Truebot malware.\r\nDetection Signatures\r\nFigure 2: Snort Signature to Detect Truebot Malware\r\nalert tcp any any -\u003e any any (msg:”TRUEBOT: Client HTTP Header”; sid:x; rev:1; flow:established,to_server;\r\ncontent:”Mozilla/112.0 (compatible|3b 20 4d 53 49 45 20 31 31 2e 30 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20\r\n31 30 2e 30 30 29|”; http_header; nocase; classtype:http-header; metadata:service http;)\r\nYARA Rules\r\nCISA developed the following YARA to aid in detecting the presence of Truebot Malware.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-187a\r\nPage 10 of 14\n\nFigure 3: YARA Rule for Detecting Truebot Malware\r\nrule CISA_10445155_01 : TRUEBOT downloader\r\n{\r\nmeta:\r\nAuthor = \"CISA Code \u0026 Media Analysis\"\r\nIncident = \"10445155\"\r\nDate = \"2023-05-17\"\r\nLast_Modified = \"20230523_1500\"\r\nActor = \"n/a\"\r\nFamily = \"TRUEBOT\"\r\nCapabilities = \"n/a\"\r\nMalware_Type = \"downloader\"\r\nTool_Type = \"n/a\"\r\nDescription = \"Detects TRUEBOT downloader samples\"\r\nSHA256 = \"7d75244449fb5c25d8f196a43a6eb9e453652b2185392376e7d44c21bd8431e7\"\r\nstrings:\r\n$s1 = { 64 72 65 6d 6d 66 79 74 74 72 72 65 64 2e 63 6f 6d }\r\n$s2 = { 4e 73 75 32 4f 64 69 77 6f 64 4f 73 32 }\r\n$s3 = { 59 69 50 75 6d 79 62 6f 73 61 57 69 57 65 78 79 }\r\n$s4 = { 72 65 70 6f 74 73 5f 65 72 72 6f 72 2e 74 78 74 }\r\n$s5 = { 4c 6b 6a 64 73 6c 66 6a 33 32 6f 69 6a 72 66 65 77 67 77 2e 6d 70 34 }\r\n$s6 = { 54 00 72 00 69 00 67 00 67 00 65 00 72 00 31 00 32 }\r\n$s7 = { 54 00 55 00 72 00 66 00 57 00 65 00 73 00 54 00 69 00 66 00 73 00 66 }\r\ncondition:\r\n5 of them\r\n}\r\nAdditional YARA rules for detecting Truebot malware can be referenced from GitHub.[9 ]\r\nINCIDENT RESPONSE\r\nThe following steps are recommended if organizations detect a Truebot malware infection and compromise:\r\n1. Quarantine or take offline potentially affected hosts.\r\n2. Collect and review artifacts such as running processes/services, unusual authentications, and recent network\r\nconnections.\r\n3. Provision new account credentials.\r\n4. Reimage compromised host.\r\n5. Report the compromise to CISA via CISA’s 24/7 Operations Center (report@cisa.gov or 1-844-Say-CISA) or\r\ncontact your local FBI field office. State, local, tribal, or territorial government entities can also report to MS-ISAC\r\n(SOC@cisecurity.org or 866-787-4722).\r\nMITIGATIONS\r\nCISA and the authoring organizations recommend organizations implement the below mitigations, including mandating\r\nphishing-resistant multifactor authentication (MFA) for all staff and services.\r\nFor additional best practices, see CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs). The CPGs, developed by\r\nCISA and the National Institute of Standards and Technology (NIST), are a prioritized subset of IT and OT security practices\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-187a\r\nPage 11 of 14\n\nthat can meaningfully reduce the likelihood and impact of known cyber risks and common TTPs. Because the CPGs are a\r\nsubset of best practices, CISA and co-sealers recommend software manufacturers implement a comprehensive information\r\nsecurity program based on a recognized framework, such as the NIST Cybersecurity Framework (CSF).\r\nApply patches to CVE-2022-31199\r\nUpdate Netwrix Auditor to version 10.5\r\nNetwrix recommends using their Auditor application only on internally facing networks. System owners that don't follow\r\nthis recommendation, and use the application in externally facing instances, are at increased risk to having CVE-2022-31199\r\nexploited on their systems.\r\nReduce threat of malicious actors using remote access tools by:\r\nImplementing application controls to manage and control execution of software, including allowlisting remote\r\naccess programs.\r\nApplication controls should prevent installation and execution of portable versions of unauthorized remote\r\naccess and other software. A properly configured application allowlisting solution will block any unlisted\r\napplication execution. Allowlisting is important because antivirus solutions may fail to detect the execution of\r\nmalicious portable executables when the files use any combination of compression, encryption, or\r\nobfuscation.\r\nSee the National Security Agency’s Cybersecurity Information sheet, Enforce Signed Software Execution Policies, and\r\nadditional guidance below:\r\nStrictly limit the use of RDP and other remote desktop services. If RDP is necessary, rigorously apply best\r\npractices, for example [CPG 2.W]:\r\nAudit the network for systems using RDP.\r\nClose unused RDP ports.\r\nEnforce account lockouts after a specified number of attempts.\r\nApply phishing-resistant multifactor authentication (MFA).\r\nLog RDP login attempts.\r\nDisable command-line and scripting activities and permissions [CPG 2.N].\r\nRestrict the use of PowerShell by using Group Policy, and only grant to specific users on a case-by-case basis.\r\nTypically, only those users or administrators who manage the network or Windows operating systems (OSs) should\r\nbe permitted to use PowerShell [CPG 2.E].\r\nUpdate Windows PowerShell or PowerShell Core to the latest version and uninstall all earlier PowerShell\r\nversions. Logs from Windows PowerShell prior to version 5.0 are either non-existent or do not record enough detail\r\nto aid in enterprise monitoring and incident response activities [CPG 1.E, 2.S, 2.T].\r\nEnable enhanced PowerShell logging [CPG 2.T, 2.U].\r\nPowerShell logs contain valuable data, including historical OS and registry interaction and possible IOCs of a\r\ncyber threat actor’s PowerShell use.\r\nEnsure PowerShell instances, using the latest version, have module, script block, and transcription logging\r\nenabled (enhanced logging).\r\nThe two logs that record PowerShell activity are the PowerShell Windows Event Log and the PowerShell\r\nOperational Log. The authoring organizations recommend turning on these two Windows Event Logs with a\r\nretention period of at least 180 days. These logs should be checked on a regular basis to confirm whether the\r\nlog data has been deleted or logging has been turned off. Set the storage size permitted for both logs to as\r\nlarge as possible.\r\nConfigure the Windows Registry to require User Account Control (UAC) approval for any PsExec operations\r\nrequiring administrator privileges to reduce the risk of lateral movement by PsExec.\r\nReview domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts\r\n[CPG 4.C].\r\nAudit user accounts with administrative privileges and configure access controls according to the principle of least\r\nprivilege (PoLP) [CPG 2.E].\r\nReduce the threat of credential compromise via the following:\r\nPlace domain admin accounts in the protected users’ group to prevent caching of password hashes locally.\r\nImplement Credential Guard for Windows 10 and Server 2016 (Refer to Microsoft: Manage Windows\r\nDefender Credential Guard for more information). For Windows Server 2012R2, enable Protected Process\r\nLight for Local Security Authority (LSA).\r\nRefrain from storing plaintext credentials in scripts.\r\nImplement time-based access for accounts set at the admin level and higher [CPG 2.A, 2.E]. For example, the\r\nJust-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the\r\nprinciple of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in\r\nplace to automatically disable admin accounts at the Active Directory (AD) level when the account is not in direct\r\nneed. Individual users may submit their requests through an automated process that grants them access to a specified\r\nsystem for a set timeframe when they need to support the completion of a certain task.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-187a\r\nPage 12 of 14\n\nIn addition, CISA, FBI, MS-ISAC, and CCCS recommend network defenders apply the following mitigations to limit\r\npotential adversarial use of common system and network discovery techniques and to reduce the impact and risk of\r\ncompromise by ransomware or data extortion actors:\r\nDisable File and Printer sharing services. If these services are required, use strong passwords or Active Directory\r\nauthentication.\r\nImplement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a\r\nphysically separate, segmented, and secure location (e.g., hard drive, storage device, or the cloud).\r\nMaintain offline backups of data and regularly maintain backup and restoration (daily or weekly at minimum). By\r\ninstituting this practice, an organization minimizes the impact of disruption to business practices as they can retrieve\r\ntheir data [CPG 2.R].\r\nRequire all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to\r\ncomply with National Institute for Standards and Technology (NIST) standards for developing and managing\r\npassword policies.\r\nUse longer passwords consisting of at least 15 characters [CPG 2.B].\r\nStore passwords in hashed format using industry-recognized password managers.\r\nAdd password user “salts” to shared login credentials.\r\nAvoid reusing passwords [CPG 2.C].\r\nImplement multiple failed login attempt account lockouts [CPG 2.G].\r\nDisable password “hints.”\r\nRefrain from requiring password changes more frequently than once per year.\r\nNote: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password\r\nresets. Frequent password resets are more likely to result in users developing password “patterns” cyber\r\ncriminals can easily decipher.\r\nRequire administrator credentials to install software.\r\nRequire phishing-resistant multifactor authentication for all services to the extent possible, particularly for\r\nwebmail, virtual private networks, and accounts that access critical systems [CPG 2.H].\r\nKeep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and\r\ncost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Organizations should\r\npatch vulnerable software and hardware systems within 24 to 48 hours of vulnerability disclosure. Prioritize patching\r\nknown exploited vulnerabilities in internet-facing systems [CPG 1.E].\r\nSegment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of\r\nransomware by controlling traffic flows between—and access to various subnetworks, restricting further lateral\r\nmovement [CPG 2.F].\r\nIdentify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a\r\nnetworking monitoring tool. To aid in detecting ransomware, implement a tool that logs and reports all network\r\ntraffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are\r\nparticularly useful for detecting lateral connections, as they have insight into common and uncommon network\r\nconnections for each host [CPG 3.A].\r\nInstall, regularly update, and enable real time detection for antivirus software on all hosts.\r\nDisable unused ports [CPG 2.V].\r\nConsider adding an email banner to emails received from outside your organization [CPG 2.M].\r\nEnsure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire\r\norganization’s data infrastructure [CPG 2.K, 2.L, 2.R].\r\nVALIDATE SECURITY CONTROLS\r\nIn addition to applying mitigations, CISA recommends exercising, testing, and validating your organization's security\r\nprogram against the threat behaviors mapped to the MITRE ATT\u0026CK for Enterprise framework in this advisory. CISA\r\nrecommends testing your existing security controls inventory to assess how they perform against the ATT\u0026CK techniques\r\ndescribed in this advisory.\r\nTo get started:\r\n1. Select an ATT\u0026CK technique described in this advisory (see Tables 5-13).\r\n2. Align your security technologies against the technique.\r\n3. Test your technologies against the technique.\r\n4. Analyze your detection and prevention technologies’ performance.\r\n5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.\r\n6. Tune your security program, including people, processes, and technologies, based on the data generated by this\r\nprocess.\r\nCISA recommends continually testing your security program, at scale, in a production environment to ensure optimal\r\nperformance against the MITRE ATT\u0026CK techniques identified in this advisory.\r\nRESOURCES\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-187a\r\nPage 13 of 14\n\nNIST: NVD - CVE-2022-31199\r\nStopransomware.gov (A whole-of-government approach with one central location for U.S. ransomware resources and\r\nalerts.)\r\n#StopRansomware Guide\r\nCISA: Implement Phishing-Resistant MFA\r\nCISA: Guide to Securing Remote Access Software\r\nCISA and MS-ISAC: Joint Ransomware Guide\r\nCISA: Cross-Sector Cybersecurity Performance Goals\r\nCL0P Ransomware Uses Truebot Malware for Access to Networks\r\nField Offices – FBI\r\nNSA – Zero Trust Security Model\r\nREFERENCES\r\n[1] Bishop Fox: Netwrix Auditor Advisory\r\n[2] Talos Intelligence: Breaking the Silence - Recent Truebot Activity\r\n[3] The DFIR Report: Truebot Deploys Cobalt Strike and FlawedGrace\r\n[4] MAR-10445155-1.v1 .CLEAR Truebot Activity Infects U.S. and Canada Based Networks\r\n[5] Red Canary: Raspberry Robin Delivery Vector\r\n[6] Microsoft: Raspberry Robin Worm Part of a Larger Ecosystem Pre-Ransomware Activity\r\n[7] Telsy: FlawedGrace RAT\r\n[8] VMware Security Blog: Carbon Black’s Truebot Detection\r\n[9] GitHub: DFIR Report - Truebot Malware YARA Rule\r\nAdditional Sources\r\nAlarming Surge in TrueBot Activity Revealed with New Delivery Vectors (thehackernews.com)\r\nTruebot Analysis Part 1\r\nTruebot Analysis Part 2\r\nTruebot Analysis Part 3\r\nTruebot Exploits Netwrix Vulnerability\r\nTrueBot malware delivery evolves, now infects businesses in the US and elsewhere \r\nMalpedia-Silence Downloader\r\nPrinter spooling: what is it and how to fix it? | PaperCut\r\nACKNOWLEDGEMENTS\r\nVMware Carbon Black and Mandiant contributed to this CSA.\r\nDISCLAIMER\r\nThe information in this report is being provided “as is” for informational purposes only. CISA and authoring agencies do not\r\nendorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial\r\nproducts, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply\r\nendorsement, recommendation, or favoring by CISA, and co-sealers.\r\nSource: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-187a\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-187a\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-187a" ], "report_names": [ "aa23-187a" ], "threat_actors": [ { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434388, "ts_updated_at": 1775826727, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4e9c77e4b8991049e79ba75ed041673e8503157b.pdf", "text": "https://archive.orkl.eu/4e9c77e4b8991049e79ba75ed041673e8503157b.txt", "img": "https://archive.orkl.eu/4e9c77e4b8991049e79ba75ed041673e8503157b.jpg" } }