Malware, Ransomware, Endpoint/Device Security

Truebot malware linked to Evil Corp shifts tactics to exploit RCEs, USBs

A hand holds a USB drive
Threat groups have shifted from using Truebot malware to exploiting RCEs via USB drives, according to Cisco Talos researchers. (Photo by Peter Forest/Getty Images)

Researchers reported an increase in infections of Truebot — aka Silence Downloader — malware responsible for multiple high-impact attacks on financial institutions around the world.

In a Dec. 8 blog post, Cisco Talos researchers said that there are claims that Truebot has links to TA505 (Evil Corp). In its research, Cisco Talos further supported those claims by finding that one of the follow-on payloads that Truebot drops is Grace, which has been attributed to TA505.

The researchers noted that the attackers have shifted from using malicious emails as their primary delivery method to exploiting remote code executions and spreading malware through USB drives. They have also started executing the Clop ransomware, a tactic that also included data theft.  

Threat actors are constantly evolving their tactics to use whatever is most effective at any given time, said Mike Parkin, senior technical engineer at Vulcan Cyber. Parkin said we’ve seen them move back and forth between user focused techniques, often relying on email and social engineering, and technical methods that leverage a vulnerability they can exploit.  

“When a new vulnerability is published, we often see a flurry of activity on the defense side responding to the CVE and it often gets us out ahead of a potential exploit,” Parkin said. “But the ones we recognize only after they’re exploited in the wild are the greater challenge. Though, once discovered, the response is often swift, forcing the attackers to move to a different technique.” 

John Bambenek, principal threat hunter at Netenrich, added that there are multiple paths into an organization and threat actors know it. Not only do they shift tactics, they rotate through them and come back from time to time.

“Human beings get accustomed to patterns so as they get used to one attack (or we develop solid defenses) and things get cooked in with security awareness training, the attackers then shift to something new, or something old like USB drives,” said Bambenek.

Jerrod Piker, competitive intelligence analyst at Deep Instinct, added that first and foremost, a shift in tactics means that, to some extent, cybersecurity controls are actually impacting the success of even the advanced threat actor groups.

Second, Piker said email attachments/phishing and web downloads/vulnerabilities have been the most widely used attack vectors for quite some time, so this may indicate a trending shift in tactics across the board.

“The cat-and-mouse game continues,” Piker said. “Attackers shifting their tactics will force security teams to modify their strategies to account for the new techniques. Generally, when focus shifts from one area to another, the original area of focus takes a hit from a resource and visibility standpoint. This could lead to more risk in other areas, such as email and web protection. It may be too soon to definitively state that this indicates a widespread shift in attacker tactics, but anytime a group like Silence does something new, we should most certainly take notice. These types of groups tend to be trend-setters when it comes to cybercriminal activity as a whole.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.