CISA and the FBI today warned against new Truebot malware variants deployed to compromised networks using a critical Remote Code Execution (RCE) vulnerability in Netwrix Auditor software in attacks targeting organizations in the United States and Canada.

The bug (tracked as CVE-2022-31199) affects the Netwrix Auditor server and agents installed on monitored network systems and allows unauthorized attackers to execute malicious code with the privileges of the SYSTEM user.

TrueBot is a malware downloader linked to the Russian-speaking cybercriminal group Silence and used by hackers TA505 (associated with the FIN11 group) for deploy Clop ransomware on compromised networks since December 2022.

After installing TrueBot on hacked networks, attackers install the FlawedGrace Remote Access Trojan (RAT), also related to group TA505, which allows them to elevate privileges and establish persistence on hacked systems .

A few hours after the initial breach, they will also deploy Cobalt Strike beacons which could then be used for various post-exploitation tasks, including data theft and removal of other malware payloads such as ransomware.

“Previous Truebot malware variants were primarily delivered by cyber threat actors via malicious phishing email attachments; however, newer versions also allow cyber threat actors to gain initial access by exploiting CVE- 2022-31199,” the two federal agencies said. said in a joint report with MS-ISAC and the Canadian Center for Cyber ​​Security.

“As recently as May 2023, cyber threat actors used this common vulnerability and exposure to deliver new variants of Truebot malware and to collect and exfiltrate information against organizations in the United States and Canada.

Based on the nature of Truebot operations observed so far, the primary objective of the threat actors behind Truebot is to steal sensitive information from compromised systems for financial gain.

Security teams are advised to look for signs of malicious activity indicating a Truebot infection using the guidelines shared in today’s joint advisory.

If they detect any Indicators of Compromise (IOC) within their organization’s network, they should immediately implement the mitigation and incident response measures described in the advisory and report the incident to CISA or the FBI .

If your organization uses Netwrix’s IT system audit software, you should apply patches to fix the CVE-2022-31199 vulnerability and update Netwrix Auditor to version 10.5.

Using phishing-resistant multi-factor authentication (MFA) for all staff and departments to block access to critical systems is also a good way to stop these attacks in their tracks.

Netwrix says its products are used by more than 13,000 organizations around the world, including leading companies like Airbus, Allianz, the UK NHS and Virgin.