Silence hackers' Truebot malware linked to Clop ransomware attacks

Security researchers have noticed a spike in devices infected with the TrueBot malware downloader created by a Russian-speaking hacking group known as Silence.

The Silence group is known for its big heists against financial institutions, and has begun to shift from phishing as an initial compromise vector.

The threat actor is also using a new custom data exfiltration tool called Teleport. Analysis of Silence's attacks over the past months revealed that the gang delivered Clop ransomware typically deployed by TA505 hackers, which are associated with the FIN11 group.

Truebot infections

Silence hackers have planted their malware on more than 1,500 systems across the world to fetch shellcode, Cobalt Strike beacons, the Grace malware, the Teleport exfiltration tool, and Clop ransomware.

The new campaigns were analyzed by researchers at Cisco Talos, who observed multiple new attack vectors being used since August 2022.

In a small number of attacks between August and September, the hackers infected systems with Truebot (Silence.Downloader) after exploiting a critical vulnerability in  Netwrix Auditor servers tracked as CVE-2022-31199.

In October 2022, the gang switched to using USB drives to infect computers with the Raspberry Robin worm, which often delivered IcedID, Bumblebee, and Truebot payloads.

A report from Microsoft in October has linked the worm with the distribution of Clop ransomware by a threat actor they track as DEV-0950, whose malicious activity overlaps with that of FIN11 and TA505 (known for using Clop in extortion attacks).

Cisco Talos notes that the Truebot gang used Raspberry Robin to infect more than 1,000 hosts, many of them desktops not accessible over the public web, mainly in Mexico, Brazil, and Pakistan.

In November, the hackers targeted Windows servers exposing SMB, RDP, and WinRM services on the public internet. The researchers counted more than 500 infections, about 75% of them in the United States.

The two Truebot botnets discovered by Cisco Talos
The two Truebot botnets discovered by Cisco Talos

Truebot is a first-stage module that can collect basic information and take screenshots. It also exfiltrates Active Directory trust relations information that helps the threat actor plan post-infection activity.

The command and control (C2) server can then instruct Truebot to load shellcode or DLLs in memory, execute additional modules, uninstall itself, or download DLLs, EXEs, BATs, and PS1 files.

Truebot functional diagram
Truebot functional diagram (Cisco Talos)

New Teleport data exfiltration tool

In the post-compromise phase, the hackers use Truebot to drop Cobalt Strike beacons or the Grace malware (FlawedGrace, GraceWire), which has been attributed to the TA505 cybercriminal group.

After that, the intruders deploy Teleport, which Cisco describes as a novel custom tool built in C++ that helps hackers steal data stealthily.

The communication channel between Teleport and the C2 server is encrypted. The operators can limit the upload speed, filter files by size to steal more of them, or delete the payload. All this is designed to keep a low profile on the victim machine.

Teleport tool modes
Teleport tool modes (Cisco Talos)

Teleport also features options to steal files from OneDrive folders, collect the victim’s Outlook emails, or target specific file extensions.

In some cases, the attackers deploy the Clop ransomware after moving laterally to as many system as possible with the help of Cobalt Strike.

Post-infection activity leading to Clop deployment
Post-infection activity leading to Clop deployment (Cisco Talos)

“During the exploration and lateral movement phases, the attackers browsed key server and desktop file systems, connected to SQL databases, and collected data that was exfiltrated using the Teleport tool to an attacker-controlled server,” Cisco Talos researchers explain.

“Once sufficient data had been collected, the attackers created scheduled tasks on a large number of systems to simultaneously start executing the Clop ransomware and encrypt the highest possible volume of data.”

Silence gang activity

Researchers at cybersecurity company Group-IB have been tracking Silence/Truebot activity since 2016 when the hackers stealthily breached a bank but failed to steal money because of an issue with a payment order.

The attacker hit the same target again and started to monitor the bank operator's activity by taking screenshots and streaming video from the infected system to learn how the money transfer procedure works.

In 2017, they pulled their first successful robbery, as per Group-IB's knowledge, attacking ATM systems and stealing more than $100,000 in one night.

Silence continued their attacks and in three years between 2016 and 2019 they stole at least $4.2 million from banks in the former Soviet Union, Europe, Latin America, and Asia,

Silence/Truebot heists
Silence/Truebot activity June 2016 - July 2019
source: Group-IB

Group-IB researchers describe Silence hackers as highly skilled, being able to reverse engineer malware to modify it for their purpose or adapt at the assembler instructions level an exploit used by nation-state group Fancy Bear. They are also able to develop their own tools.

Initially, the attacker targeted only organizations in Russia but Silence expanded their reach at a global level over the past years.

Related Articles:

U.S. govt agency CMS says data breach impacted 3.1 million people

Attacks on Citrix NetScaler systems linked to ransomware actor

Volt Typhoon rebuilds malware botnet following FBI disruption

New Ymir ransomware partners with RustyStealer in attacks

Halliburton reports $35 million loss after ransomware attack