A newly found Truebot Malware targets both US and Canada-based organizations to exfiltrate sensitive information by exploiting vulnerabilities in the Netwrix Auditor application(CVE-2022-31199).
Truebot malware is a botnet that is delivered through phishing campaigns to attack victims, now exploiting the vulnerability to gain access to the machine.
CISA and FBI jointly issue warnings about the increased activity of this new malware variant.
Increased activity of truebot has been observed since May 31, 2023, and it is presumed to be used by CL0P Ransomware Gang.
The delivery of the payload is achieved either through phishing attempts or through exploiting the vulnerability.
The payload has been concealed as a legitimate software update notification and was delivered through emails to trick the users into executing.
Once the user executes the email, it redirects to a malicious domain, and script files will be executed to collect the information.
Netwrix Auditor is software used for on-premises and cloud-based IT system auditing. Attackers utilize the remote code execution vulnerability (CVE-2022-31199) in this software for lateral movement.
It employs various tools and techniques to achieve persistence; initially, it loads Flawed Grace, a remote access tool to store payloads and inject additional payloads on scheduled tasks to establish the connection to the C2 server.
Later it uploads Cobalt Strike beacons into memory in dormant mode for further operations.
Through POST requests, it establishes bilateral communication with the C2 server, which downloads additional payloads and self-replicates across the environment.
The best practice to mitigate this attack is to patch the vulnerability and update the applications and software used. And apply controls to prevent remote execution attempts.
| MD5 Hash | F33734DFBBFF29F68BCDE052E523C287 |
| MD5 Hash | F176BA63B4D68E576B5BA345BEC2C7B7 |
| MD5 Hash | F14F2862EE2DF5D0F63A88B60C8EEE56 |
| MD5 Hash | 6164e9d297d29aa8682971259da06848 |
| SHA256 | 121A1F64FFF22C4BFCEF3F11A23956ED403CDEB9BDB803F9C42763087BD6D94E |
| MD5 | 72A589DA586844D7F0818CE684948EEA |
| SHA256 | 717BEEDCD2431785A0F59D194E47970E9544FBF398D462A305F6AD9A1B1100CB |
| SHA256 | C92C158D7C37FEA795114FA6491FE5F145AD2F8C08776B18AE79DB811E8E36A3 |
“AI-based email security measures Protect your business From Email Threats!” – .
Threat actors are increasingly leveraging Google Forms, the tech giant’s widely-used form and quiz-building tool,…
Lattica, an FHE-based platform enabling secure and private use of AI in the cloud, has…
A critical vulnerability (CVE-2025-0618) in FireEye’s Endpoint Detection and Response (EDR) agent has been disclosed,…
A recently uncovered malware campaign targeting Docker, one of the most frequently attacked services according…
Researchers have disclosed a series of alarming vulnerabilities in popular browser-based cryptocurrency wallets that could…
Researchers have uncovered early indicators of malicious infrastructure linked to APT34, also known as OilRig,…
![](data:image/svg+xml;charset=utf-8,<svg height="400px" width="600px" xmlns="http://www.w3.org/2000/svg" version="1.1"/>)
.jpeg?w=1024&resize=1024,682&ssl=1)
