CTI Roundup: Truebot infects US & Canada networks

Up first in this week’s roundup, CTI looks at how threat actors are using new Truebot malware variants to target organizations in the United States and Canada. Next, CTI explores a recent campaign involving the Iranian state-sponsored threat group Charming Kitten. The campaign highlights the threat actor’s updated malware arsenal and new TTPs — most notably its targeting of new operating systems, including macOS. Finally, CTI wraps things up with an overview of a recent report highlighting an ongoing phishing campaign dubbed SmugX.

1. CISA: Increased Truebot activity infects US and Canada-based networks

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Canadian Centre for Cyber Security (CCCS) have issued a joint cybersecurity advisory in response to cyber threat actors deploying new TrueBot malware variants against various organizations in the U.S. and Canada.

What is TrueBot?

TrueBot is a malware downloader that has been linked to a Russian-speaking cybercriminal gang known as Silence. It has been used by hackers belonging to the TA505 threat group (which also linked to the FIN11 cybercriminal group) to deploy CL0P ransomware.

From the joint advisory:

Truebot is a botnet that has been used by malicious cyber groups like CL0P Ransomware Gang to collect and exfiltrate information from its target victims… Previous Truebot malware variants were primarily delivered by cyber threat actors via malicious phishing email attachments; however, newer versions allow cyber threat actors to also gain initial access through exploiting CVE-2022-31199 — (a remote code execution vulnerability in the Netwrix Auditor application), enabling deployment of the malware at scale within the compromised environment.

CL0P was recently responsible for the massive MOVEit zero-day supply chain attack, as well as subsequent extortion attacks that continue to target the application’s downstream users and wreak financial havoc today.

Summary of activity

According to the joint advisory, the authoring organizations have observed an increase in the number of threat actors deploying new versions of Truebot as recently as 31 May 2023.

Based on confirmed open-source reporting and analysis of recent TrueBot variants, the report’s authors assess that threat actors are now delivering new variants of the malware via phishing campaigns featuring malicious redirect hyperlinks, and the exploitation of CVE-2022-3119.

TrueBot phishing activity

The joint advisory notes that threat actors have primarily utilized phishing emails as the preferred delivery method of TrueBot malware. The emails typically attempt to trick recipients into clicking a hyperlink to execute malware, but researchers have also observed threat actors concealing executables in email attachments disguised as legitimate software update notifications.

When users interact with the executable, it redirects them to malicious domains and triggers malicious scripts. The joint advisory makes a point of noting that Truebot can hide within a wide range of legitimate file formats.

Exploitation of CVE-2022-3119

While phishing remains the most popular of the two Truebot delivery methods discussed in the joint advisory, researchers have also observed threat actors shift tactics and begin to exploit CVE-2022-3119 — a remote code execution vulnerability in Netwrix Auditor.

By exploiting this vulnerability, threat actors can achieve initial access and move laterally within compromised environments.

What is FlawedGrace?

Once the malware downloads, Truebot renames itself and downloads the FlawedGrace remote access trojan (RAT) to the infected host. FlawedGrace can modify registry and the print spooler programs that manage the flow of documents into a printer’s queue. By manipulating both these features, FlawedGrace can escalate privileges and achieve persistence.

Encrypted payloads are stored within the registry during FlawedGrace’s execution phase. It is also capable of creating scheduled tasks and injecting payloads into msiexec.exe and svchost.exe. Each of these are processes that aid FlawedGrace in facilitating a command-and-control (C2) communication channel, as well as enabling the RAT to load the DLLs that allow it to achieve privilege escalation.

According to the joint advisory, researchers have also observed Truebot injecting Cobalt Strike beacons into memory, in a dormant mode for the first few hours prior to beginning additional post-compromise operations.

Discovery, defense evasion

The first stage of Truebot’s execution process involves checking the current operating system version via RtlGetVersion and analyzing the processor’s attributes via GetNativeSystemInfo.

In what appears to be part of an increasingly common trend in the commodity malware industry, some TrueBot variants come complete with a whole bunch of padding code. As the joint advisory explains, the analyzed Truebot sample was saddled with over one gigabyte of junk code designed to make detection and analysis efforts difficult, if not impossible in some cases.

After completing the aforementioned checks, Truebot can enumerate all running processes, collect sensitive host data, and transmit that data to an encoded data stream to set the stage for second-stage execution. And drawing upon the nature of the IOCs associated with the activity described herein, it appears that Truebot is also capable of discovering software security protocols and metrics relating to system time. These features are likely intended to aid in defense evasion, but also may come in handy for enabling the malware to synchronize with the internal clock of a compromised system — making it easier to accurately schedule tasks.

From the joint advisory:

Next, it uses a .JSONIP extension, (e.g., IgtyXEQuCEvAM.JSONIP), to create a thirteen character globally unique identifier (GUID)—a 128-bit text string that Truebot uses to label and organize the data it collects… After creating the GUID, Truebot compiles and enumerates running process data into either a base64 or unique hexadecimal encoded string… Truebot’s main goal is identifying the presence of security debugger tools. However, the presence of identified debugger tools does not change Truebot’s execution process—the data is compiled into a base64 encoded string for tracking and defense evasion purposes.

Data collection and exfiltration

After the stages described above run their course, Truebot sends the compromised host’s computer and domain name, along with the newly generated GUID, to a hard-coded URL in the form of a POST request (as observed in the user-agent string).

The POST request initiates and establishes a C2 connection capable of supporting two-way traffic. Once this connection has been established, the malware leverages a second obfuscated domain for various purposes – including, but not limited to downloading additional payloads, self-replicating across the environment, and/or deleting the files which supported the operation up to this point.

Additional delivery methods and tools

The following list represents additional delivery vectors and tools with which Truebot has been associated:

• Raspberry Robin (Malware): Raspberry Robin is a wormable malware with links to other malware families and various infection methods, including installation via USB drive.

Raspberry Robin has evolved into one of the largest malware distribution platforms and has been observed deploying Truebot, as well as other post-compromise payloads such as IcedID and Bumblebee malware.

• Teleport (Tool): Cyber threat actors have been observed using a custom data exfiltration tool, which Talos refers to as Teleport.

Teleport is known to evade detection during data exfiltration by using an encryption key hardcoded in the binary and a custom communication protocol that encrypts data using an advanced encryption standard (AES) and a hardcoded key.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“Given TrueBot’s association with cybercriminal organizations such as the CL0P extortion/ransomware group and some of its more dangerous affiliates, it would be unwise to characterize TrueBot and the activity described above as anything less than a serious threat — particularly when its operations seem to target organizations in such an indiscriminate manner.”

2. Exploring Charming Kitten’s foray into LNKs and Mac malware

Proofpoint’s latest report explores a recent campaign carried out by Charming Kitten, which is an Iranian state-sponsored threat group. The campaign highlights the threat actor’s updated malware arsenal and new TTPs — most notably its targeting of new operating systems, including macOS.

Threat overview

In May 2023 Proofpoint observed Charming Kitten sending a benign conversation lure masquerading as a senior fellow with the Royal United Services Institute (RUSI).

The benign email was sent to the public media contact for a nuclear security expert at a US-based think tank focused on foreign affairs. The email was looking for feedback on a specific project and requested permission to send a draft over for review.

Charming Kitten uses a variety of cloud hosting providers to deliver a novel infection chain that deploys a newly identified PowerShell backdoor known as GorjolEcho. The threat actor also ported its malware and attempted to launch an infection chain against macOS devices. Proofpoint refers to this infection chain and backdoor as NokNok.

Targeting with benign messages

Charming Kitten frequently uses benign messages to target victims. As Joint Comprehensive Plan of Action (JCPOA) negotiations continue and Tehran finds itself increasingly isolated within its sphere of influence, Charming Kitten is focusing a large majority of its targeting efforts against the experts likely informing these foreign policies.

In one of the recently observed incidents, the threat actor contacted its target with a benign email before later using multi-persona impersonation, listing additional experts to try to establish rapport with the victim.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“The TTPs and new backdoors observed in this campaign highlight Charming Kitten’s ability to adapt its infection chains to continue to be successful in its espionage operations.

The most noteworthy change in this campaign is the porting of their malware to target macOS devices, allowing the threat actor to have a broader range of targets.”

From Proofpoint:

The use of Google Scripts, Dropbox, and CleverApps demonstrate that Charming Kitten continues to subscribe to a multi-cloud approach in its efforts to likely minimize disruptions from threat hunters.

3. Suspected Chinese hackers target European government entities in SmugX campaign

A recent report published by Check Point Research highlights an ongoing phishing campaign called SmugX, which has ties to a Chinese state-sponsored threat actor.

The campaign’s goal appears to be espionage and features two different infection chains designed to deliver the PlugX remote access trojan (RAT).

Campaign details

The SmugX campaign reportedly began in December 2022. The operation’s victimology is comprised of Foreign Affairs ministries and embassies located in European countries such as the U.K., France, Sweden, Ukraine, Czech, Hungary, and Slovakia.

Lure documents deployed as part of the phishing campaign are primarily themed around European domestic and foreign policies.

From a BleepingComputer article covering the campaign:

Among the samples that Check Point collected during the investigation are:

• • A letter from the Serbian embassy in Budapest
  • a document stating the priorities of the Swedish Presidency of the Council of the European Union
  • an invitation to a diplomatic conference issued by Hungary’s Ministry of Foreign Affairs
  • an article about two Chinese human rights lawyers

The lures used in the SmugX campaign betray the threat actor’s target profile and indicates espionage as the likely objective of the campaign.

Check Point’s research reveals that the SmugX campaign leverages two novel delivery methods (each resulting in low detection rates) to deploy a new variant of PlugX, a RAT predominantly associated with China’s multiple state-sponsored advanced persistent threat (APT) groups.

The more notable of the two attack chains utilizes HTML smuggling (hence the campaign’s name), an increasingly popular technique among cybercriminals and nation-state actors alike.

HTML smuggling: a refresher

Before we dive into the two attack chains observed in this campaign, let’s take a moment to get reacquainted with HTML smuggling, which Check Point describes as “a well-documented technique… Malicious files are embedded within HTML documents, enabling them to evade network-based detection measures.”

In the SmugX campaign, HTML smuggling facilitates the download of either a JavaScript or ZIP file.

Opening either of the malicious HTML documents featured in the operation triggers the following sequence of events:

1. First, the payload embedded within the document’s code is decoded and saved to a JavaScript blob, where it is designated an appropriate file type (i.e. application/zip).
2. Next, rather than utilizing the HTML element, the JavaScript code dynamically creates it.
3. The aforementioned JavaScript blob creates a URL object using the createObjectURL function.
4. The download attribute is set with the desired filename.
5. Finally, the code invokes the click action, simulating a user clicking on the link and initiating the file download.

Check Point notes that, for older browser versions, the code employs msSaveOrOpenBlob to save the blob with the desired filename.

Two different attack chains

The SmugX campaign consists of two main infection chains — both of which begin with an HTML file.

This is for saving the second stage to the victims’ download folders. There is some variation as far as the second stage is concerned. One utilizes a ZIP file containing a malicious LNK file, while the other chain employs JavaScript to download an MSI file from a remote server.

• The SmugX archive chain: In the first of the two scenarios described above, the HTML file smuggles a ZIP archive containing a malicious LNK file designed to run PowerShell. Using PowerShell, the attacker extracts a compressed archive embedded within the LNK file, saving it to the %temp% directory.
• The SmugX JavaScript chain: The second of the two PlugX infection vectors makes use of HTML smuggling in order to download a JavaScript file.

Upon its execution, the file downloads and runs an MSI file provided by the attackers’ remote server. A new folder is created by the MSI and saved within the %appdata%\Local directory, in which three files extracted from the MSI package are also stored. These three dropped files consist of a hijacked legitimate executable, the loader DLL, and the encrypted payload.

With regards to this campaign’s chosen loading technique, there is little difference from many other previously observed instances of PlugX infection; the malware leverages DLL sideloading techniques.

PlugX, revised

This campaign’s final payload is PlugX which is an implant that China-nexus cyber threat actors have been using since 2008. It is a modular piece of malware, which enables it to operate as a remote access tool while accommodating a multitude of plugins — each with a distinct functionality. This is what enables operators to facilitate a varied range of malicious activities on compromised systems. Examples include file theft, screen captures, keylogging, and command execution.

With regards to persistence, PlugX copies the legitimate program and DLL, storing them within a hidden directory created by the implant. The encrypted payload is placed in a separate hidden folder, and PlugX achieves persistence by adding the legitimate program to the Run registry key.

Overlapping APT activity

Check Point’s assessment that the SmugX campaign is the work of a Chinese threat actor is not based solely on the attackers’ use of the PlugX implant. The firm’s researchers are also basing their theory on the fact that the campaign shares “significant similarities with activity attributed by other security vendors to either RedDelta or Mustang Panda.”

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“Based on the facts presented above, Check Point appears to be accurate linking the SmugX campaign to a Chinese threat actor. The goal of the campaign is clearly intelligence gathering and espionage, and the campaign’s targets align with the state interests of the Chinese government. CTI will continue to monitor this campaign and any others tied to it for developments.”

---

Do you have insight these stories that you want to share? Head over to Tanium’s discussion forum to start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.