Security News > 2022 > December > Clop ransomware uses TrueBot malware for access to networks
Security researchers have noticed a spike in devices infected with the TrueBot malware downloader created by a Russian-speaking hacking group known as Silence.
Analysis of Silence's attacks over the past months revealed that the gang delivered Clop ransomware typically deployed by TA505 hackers, which are associated with the FIN11 group.
Silence hackers have planted their malware on more than 1,500 systems across the world to fetch shellcode, Cobalt Strike beacons, the Grace malware, the Teleport exfiltration tool, and Clop ransomware.
In a small number of attacks between August and September, the hackers infected systems with Truebot after exploiting a critical vulnerability in Netwrix Auditor servers tracked as CVE-2022-31199.
In some cases, the attackers deploy the Clop ransomware after moving laterally to as many system as possible with the help of Cobalt Strike.
"Once sufficient data had been collected, the attackers created scheduled tasks on a large number of systems to simultaneously start executing the Clop ransomware and encrypt the highest possible volume of data."
News URL
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-11-08 | CVE-2022-31199 | Deserialization of Untrusted Data vulnerability in Netwrix Auditor 9.7/9.8 Remote code execution vulnerabilities exist in the Netwrix Auditor User Activity Video Recording component affecting both the Netwrix Auditor server and agents installed on monitored systems. | 9.8 |