Security News > 2022 > December > Clop ransomware uses TrueBot malware for access to networks

Clop ransomware uses TrueBot malware for access to networks
2022-12-11 16:22

Security researchers have noticed a spike in devices infected with the TrueBot malware downloader created by a Russian-speaking hacking group known as Silence.

Analysis of Silence's attacks over the past months revealed that the gang delivered Clop ransomware typically deployed by TA505 hackers, which are associated with the FIN11 group.

Silence hackers have planted their malware on more than 1,500 systems across the world to fetch shellcode, Cobalt Strike beacons, the Grace malware, the Teleport exfiltration tool, and Clop ransomware.

In a small number of attacks between August and September, the hackers infected systems with Truebot after exploiting a critical vulnerability in Netwrix Auditor servers tracked as CVE-2022-31199.

In some cases, the attackers deploy the Clop ransomware after moving laterally to as many system as possible with the help of Cobalt Strike.

"Once sufficient data had been collected, the attackers created scheduled tasks on a large number of systems to simultaneously start executing the Clop ransomware and encrypt the highest possible volume of data."


News URL

https://www.bleepingcomputer.com/news/security/clop-ransomware-uses-truebot-malware-for-access-to-networks/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-11-08 CVE-2022-31199 Deserialization of Untrusted Data vulnerability in Netwrix Auditor 9.7/9.8
Remote code execution vulnerabilities exist in the Netwrix Auditor User Activity Video Recording component affecting both the Netwrix Auditor server and agents installed on monitored systems.
network
low complexity
netwrix CWE-502
critical
9.8