New Case Study: Threat Hunter finds renamed system utilities by file hash to uncover multiple attacks   

Read Case Study


Clop Ransomware Uses TrueBot Malware for Access to Networks

December 12, 2022

Security researchers have noticed a spike in devices infected with the TrueBot malware downloader created by a Russian-speaking hacking group known as Silence. The Silence group is known for its big heists against financial institutions and has begun to shift from phishing as an initial compromise vector. The threat actor is also using a new custom data exfiltration tool called Teleport. Analysis of Silence’s attacks over the past months revealed that the gang delivered Clop ransomware typically deployed by TA505 hackers, which are associated with the FIN11 group. TrueBot is a first-stage module that can collect basic information and take screenshots. It also exfiltrates Active Directory trust relations information that helps the threat actor plan post-infection activity. In the post-compromise phase, the hackers use TrueBot to drop Cobalt Strike beacons or the Grace malware (FlawedGrace, GraceWire), which has been attributed to the TA505 cybercriminal group. After that, the intruders deploy Teleport, which Cisco describes as a novel custom tool built in C++ that helps hackers steal data stealthily. Group-IB researchers describe Silence hackers as highly skilled, being able to reverse engineer malware to modify it for their purpose or adapt at the assembler instructions level an exploit used by nation-state group Fancy Bear. They are also able to develop their own tools.

Analyst Notes

Organizations should also initiate proactive measures to ensure they are protected from ransomware. To protect against ransomware attacks, organizations should:
• Regularly back up data, air gap, and password protect backup copies offline.
• Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
• Implement network segmentation.
• Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location
• monitoring of security events on employee workstations and servers, with a 24/7 Security Operations Center to detect threats and respond quickly.
• Use multifactor authentication where possible.
• Use strong passwords and regularly change passwords to network systems and accounts, implementing the shortest acceptable timeframe for password changes.
• Avoid reusing passwords for multiple accounts.
• Focus on cyber security awareness and training.
• Regularly provide users with training on information security principles and techniques