Truebot and Mirai: new activities and threats

An announcement by CISA (Cybersecurity and Infrastructure Security Agency) and its partners warns of a new Truebot campaign. Current activities are mainly directed against organisations in the USA and Canada, as well as occasionally in Great Britain. According to the analyses, the botnet malware is deployed via phishing campaigns with malicious links and by exploiting a known vulnerability in the Netwrix Auditor application for remote code execution (CVE-2022-31199). [1]

How do Truebot and Mirai work?

What makes the warning special is that Truebot was first discovered in 2017 – and is still successful six years later. Similarly, the Mirai botnet, first discovered in 2016, continues to break records by causing the largest and most devastating distributed denial of service (DDoS) attacks. [2]

Mirai and Truebot are both widespread software variants that aim to infect insecure IT and IoT devices and link them into huge botnets. Both malware types can carry out DDoS attacks by creating massive network congestion with many infected devices. The attackers exploit misconfigurations and current vulnerabilities to gain access to the targeted devices. Repeatedly, they highlight the growing security concerns associated with networked devices. Despite these similarities, Mirai and Truebot have individual characteristics and functionalities that need to be understood to detect them and take effective countermeasures.

Mirai exploits default passwords and vulnerabilities in common IoT systems

The well-known IoT malware Mirai first appeared in 2016. It infects insecure networked devices to form huge botnets that are used for DDoS attacks.

Mirai has highlighted vulnerabilities in IoT device security and underscores the need to immediately change default device configurations and not neglect this class of devices from a security perspective. Without the attack scenarios having changed or evolved particularly, this threat still seems to be relevant.

Measures to secure IoT devices are known to be effective. Even simple changes can significantly minimise the risk to detect attacks early or prevent them altogether.

Truebot is constantly evolving with flexible submodules

Not so with Truebot, the result of lengthy development work by cybercriminals. The malware was first identified when security researchers noticed unusual patterns based on suspicious activities in various networks.

Analysis revealed a complex structure in which infected computers were connected to form a botnet and controlled from a central control server. The developers of Truebot had deliberately exploited vulnerabilities in software and operating systems to spread the infection. Truebot uses sophisticated obfuscation techniques to make detection by security solutions more difficult. Overall, TrueBot was a particularly prominent and threatening malware variant due to its versatility, complex structure and ability to exploit various vulnerabilities while disguising itself. Alternatively, the malware is also known as “Silence.Downloader”.

CISA’s advisory includes a list of malware and tools used in conjunction with Truebot, including the worm-enabled malware Raspberry Robin, the remote access tool Flawed Grace, the penetration testing tool Cobalt Strike and the data exfiltration tool Teleport. A full technical breakdown, including indicators of compromise, is also included.

The current warning shows how known threats can dynamically adapt to new requirements and thus still pose a great danger. Those who have once secured themselves against Truebot should not trust that they will remain safe from new attacks.

How are the current developments to be interpreted?

Mirai and Truebot, when they first appeared, highlighted the risks posed by the massive proliferation of insecure IoT devices and the ability of cybercriminals to find, infect and turn these devices into dangerous botnets. The successful DDoS attacks orchestrated by Mirai and Truebot illustrate how easily vulnerable devices can become a significant threat to the stability of networks and online services.

The renewed waves of attacks underscore the importance and urgency of monitoring measures to either prevent infections or at least identify infected devices in time, both at the device level and at the network level. To maintain the integrity and stability of one’s own digital systems, a permanent view of the security of networked devices and IoT infrastructures is essential.

This might also interest you:

Use OSINT tools for cyber security

Ransom DDoS attacks: Tips and strategies against the threat of blackmail

Honeypots: Researchers analyse attacks on IoT systems

Sources:
[1] https://www.cisa.gov/news-events/alerts/2023/07/06/cisa-and-partners-release-joint-cybersecurity-advisory-newly-identified-truebot-malware-variants
[2] https://www.darkreading.com/attacks-breaches/mirai-common-attack-methods-remain-consistent-effective