TrueBot Malware Campaign Uses Phishing and Netwrix Auditor Exploit for Malware Delivery

Organizations in the United States and Canada are being targeted in a TrueBot malware campaign that uses phishing emails with malicious hyperlinks and a remote code execution vulnerability in Netwrix Auditor for distributing the malware – CVE-2022-31199.

TrueBot malware is known to be used by the FIN11 threat group for gaining initial access to victims’ networks. Once a foothold has been established through the installation of TrueBot, the group downloads the FlawedGrace Remote Access Trojan for persistence and privilege escalation, often also deploying Cobalt Strike beacons for post-exploitation tasks. FIN11 conducts extortion attacks, stealing data and issuing ransom demands, usually after deploying Clop ransomware. The Silence threat group is also known to use TrueBot malware in its attacks.

A warning about the campaign was issued in a joint cybersecurity advisory from the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Canadian Centre for Cyber Security (CCCS) which report attacks exploiting the vulnerability have been detected as recently as May 31, 2023.

A new version of TrueBot, dubbed Silence Downloader, has been detected in the latest attacks that exploited the Netwrix Auditor vulnerability. The security agencies warn that phishing is still a prominent method used for delivering the malware, although tactics appear to have shifted towards exploiting the Netwrix Auditor vulnerability. Both methods of malware delivery have been observed in the latest campaign. In addition to the use of the FlawedGrace RAT and Cobalt Strike, attacks have involved the Teleport tool for data exfiltration, and Raspberry Robin malware as an alternative method of delivering TrueBot.

The cybersecurity agencies have suggested several mitigations, including implementing phishing-resistant multifactor authentication, ensuring the patch is applied to fix the Netwrix Auditor vulnerability, implementing application controls to manage and control the execution of software, strictly limiting the use of RDP and other remote desktop services, and a host of other security measures. Indicators of Compromise (IoCs) are also detailed in the alert and organizations have been advised to search for the IoCs and implement the suggested incident response measures and mitigations if any are identified.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of