TrueBot Malware Infections Spike and Link to Evil Corp is Confirmed

Security researchers at Cisco Talos say there has been a marked increase in infections with TrueBot malware and the creation of two botnets, one focused on the United States and the other worldwide, with a particular focus on Mexico and Brazil. TrueBot malware, aka Silence downloader, is linked to the Silence Group, a group that has been active since at least 2016 and is known to conduct high-impact targets on financial institutions. The group is known to have stolen at least $4.2 million from banks in former Soviet countries, Europe, Asia, and Latin America.

Some security researchers have found evidence that ties the Silence Group to the Evil Corp (TA505) cybercriminal group. The researchers at Cisco Talos have confirmed that link, having observed TrueBot malware delivering Grace malware, which has previously been attributed to Evil Group, and Clop ransomware, which has also been deployed by Evil Corp hackers.

While the TrueBot infections do not appear to be focused on any particular sector, there have been several infections at educational organizations. The Silence Group has previously favored phishing as the initial attack vector; however, the Silence Group is known to often change its attack vectors and the Cisco Talos researchers note there was a change in tactics in October when there were many infections that leveraged Raspberry Robin, which is spread via infected USB devices. The researchers also report another change in attack vectors in November, when Windows servers with exposed SMB, RDP, and WinRM services were targeted.

The Silence Group was also quick to exploit a new Netwrix vulnerability, CVE-2022-31199, in August and September, only a few weeks after the vulnerability was first published. The researchers note that this demonstrates that the Silence Group is actively seeking new vulnerabilities to exploit and that they have the capability to add new exploits to their arsenal before many organizations have been able to apply patches. The Group has also been observed using a new, fully featured data exfiltration tool called Teleport, which has been extensively used to steal information from victims. The tool incorporates several new features to improve data exfiltration, including the ability to delete itself, encrypt communications, and limit the upload speed and file size.

The Silence Group is now known to have infected more than 1,500 systems with TrueBot malware, which has been subsequently used to deliver Cobalt Strike beacons, Teleport, Clop ransomware, and Grace malware.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of