A growing number of devices are being infected by the threat group Silence with the Truebot malware. The information was discovered by Cisco Talos analysts, who also hypothesized a link between Silence and notorious hacker outfit Evil Corp (tracked by Cisco as TA505).
In an advisory released last week, the security firm claims that the campaign it tracked led to the development of two botnets, one with infections spread over the globe (especially in Mexico and Brazil), and the other more recently targeted at the US.
"We detected a number of compromised education sector organizations, albeit we do not have enough information to determine that there is a specific concentration on a sector,” the advisory reads.
Tiago Pereira, a security researcher with Cisco Talos, thinks that Truebot is a precursor to other dangers that are known to have been behind attacks that resulted in significant losses.
The attackers show agility in adopting new delivery methods, so readers should think of this as the first phase of what might be a severe attack, Pereira advised.
Additionally, Cisco Talos added that Silence is moving away from utilizing infected emails as its main mode of delivery and toward new approaches. This is in addition to increasing its targets.
"A greater percentage of attacks used Raspberry Robin, contemporary malware disseminated via USB devices, as a delivery mechanism in October. We have a mediocre degree of confidence that the attackers began using yet another method to spread the virus in November " the researchers added.
Additionally, according to the technical write-up, post-compromise activities involved data theft and the deployment of the Clop ransomware.
We discovered what appears to be a completely functional proprietary data exfiltration tool, which we are calling "Teleport," that was heavily used to steal information during one of these attacks while we were studying it.
The data exfiltration process was made better by Teleport's many capabilities, which included limiting upload speed and file size, encrypting connections with a unique protocol, and having the ability to erase itself after use. Teleport was created in C++.
A very recent Netwrix vulnerability was also exploited by Silence while Cisco Talos was conducting its study (tracked CVE-2022-31199).
“This vulnerability had just recently been published, only a few weeks before the attacks, and the number of systems exposed via the internet is believed to be fairly modest," the researchers concluded.
This implies that the attackers are quick to test new infection vectors and incorporate them into their workflow in addition to being on the watch for them.
The malware tools mentioned above were not first used by the Silence threat organization. Raspberry Robin was connected to the Clop and LockBit ransomware organizations, according to a Microsoft advisory from October.