Thursday, January 23, 2025
HomeCyber Security NewsHackers Exploit Netwrix Auditor RCE Flaw in Truebot Malware Attack

Hackers Exploit Netwrix Auditor RCE Flaw in Truebot Malware Attack

Published on

SIEM as a Service

Follow Us on Google News

A newly found Truebot Malware targets both US and Canada-based organizations to exfiltrate sensitive information by exploiting vulnerabilities in the Netwrix Auditor application(CVE-2022-31199).

Truebot malware is a botnet that is delivered through phishing campaigns to attack victims, now exploiting the vulnerability to gain access to the machine.

CISA and FBI jointly issue warnings about the increased activity of this new malware variant.

Truebot Malware Attack:

Increased activity of truebot has been observed since May 31, 2023, and it is presumed to be used by CL0P Ransomware Gang.

The delivery of the payload is achieved either through phishing attempts or through exploiting the vulnerability.

The payload has been concealed as a legitimate software update notification and was delivered through emails to trick the users into executing.

Once the user executes the email, it redirects to a malicious domain, and script files will be executed to collect the information.

Exploit:

Netwrix Auditor is software used for on-premises and cloud-based IT system auditing. Attackers utilize the remote code execution vulnerability (CVE-2022-31199) in this software for lateral movement.

It employs various tools and techniques to achieve persistence; initially, it loads Flawed Grace, a remote access tool to store payloads and inject additional payloads on scheduled tasks to establish the connection to the C2 server.

Later it uploads Cobalt Strike beacons into memory in dormant mode for further operations.

Through POST requests, it establishes bilateral communication with the C2 server, which downloads additional payloads and self-replicates across the environment.

The best practice to mitigate this attack is to patch the vulnerability and update the applications and software used. And apply controls to prevent remote execution attempts.

Indicator of Compromise:

MD5 HashF33734DFBBFF29F68BCDE052E523C287
MD5 HashF176BA63B4D68E576B5BA345BEC2C7B7
MD5 HashF14F2862EE2DF5D0F63A88B60C8EEE56
MD5 Hash6164e9d297d29aa8682971259da06848
SHA256121A1F64FFF22C4BFCEF3F11A23956ED403CDEB9BDB803F9C42763087BD6D94E
MD572A589DA586844D7F0818CE684948EEA
SHA256717BEEDCD2431785A0F59D194E47970E9544FBF398D462A305F6AD9A1B1100CB
SHA256C92C158D7C37FEA795114FA6491FE5F145AD2F8C08776B18AE79DB811E8E36A3

“AI-based email security measures Protect your business From Email Threats!” – .

Latest articles

Critical Vulnerability in Next.js Framework Exposes Websites to Cache Poisoning and XSS Attacks

A new report has put the spotlight on potential security vulnerabilities within the popular...

New Cookie Sandwich Technique Allows Stealing of HttpOnly Cookies

The "Cookie Sandwich Attack" showcases a sophisticated way of exploiting inconsistencies in cookie parsing...

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...

Tycoon 2FA Phishing Kit Using Specially Crafted Code to Evade Detection

The rapid evolution of Phishing-as-a-Service (PhaaS) platforms is reshaping the threat landscape, enabling attackers...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...

Tycoon 2FA Phishing Kit Using Specially Crafted Code to Evade Detection

The rapid evolution of Phishing-as-a-Service (PhaaS) platforms is reshaping the threat landscape, enabling attackers...

Microsoft Unveils New Identity Secure Score Recommendations in General Availability

Microsoft has announced the general availability of 11 new Identity Secure Score recommendations in...