Attack Graph Response to CISA Advisory AA23-187A: Increased Truebot Activity Infects U.S. and Canada Based Networks

On July 6, 2023, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Canadian Centre for Cyber Security (CCCS) released a joint Cybersecurity Advisory (CSA) in response to TA505 leveraging newly identified Truebot malware variants against organizations in the United States and Canada.

TA505, also known as the CL0P Ransomware Gang and Graceful Spider, is a financially motivated and highly sophisticated criminal adversary that has been active since at least 2014. Known for its involvement in multiple high-profile incidents, TA505 is considered a major player in the e-crime scene having left a significant impact on the global cybersecurity landscape. TA505 activities have been previously emulated by AttackIQ in response to Cybersecurity Advisory (CSA) AA23-158A, issued by CISA on June 7, 2023.

During the observed activities, TA505 was observed using the Truebot downloader, also known as Silence. Truebot is commonly associated with the adversary of the same name, Silence Group. According to public reporting, there is a close connection between Silence Group and TA505.

This malware, which was first detected in the wild in 2017, is found to be closely linked to the malware family known as FlawedGrace, since at least late 2022. Truebot’s primary goal is to infect systems, gather information to identify interesting targets, and deploy additional payloads. Once a system is compromised, Truebot performs reconnaissance activities and sends the collected information to the attacker’s infrastructure.

AttackIQ has released a new attack graph that seeks to emulate the activities carried out by TA505 and the capabilities of its toolkit, which in this case is comprised of Truebot, FlawedGrace and Cobalt Strike, to help customers validate their security controls and their ability to defend against a highly adaptable threat that has been able to stay ahead of the changing cybersecurity landscape.

Validating your security program performance against these behaviors is vital to reducing risk. By using this new attack graph in the AttackIQ Security Optimization Platform, security teams will be able to:

• Evaluate security control performance against an adversary that has played various roles through the years.
• Assess their security posture against multiple tools and techniques that TA505 has successfully utilized in numerous intrusions.
• Continuously validate detection and prevention pipelines against a highly prolific and sophisticated cybercriminal.

(Click for Larger)

[CISA AA23-187A] Increased Truebot Activity Infects U.S. and Canada Based Networks

(Click for Larger)

The first stage of the attack is focused on the delivery of the Truebot downloader by using the BITS Jobs technique, which allows the adversary to download malicious files through the use of the Windows BITSAdmin utility and is subsequently executed using the DLL Side-Loading technique.

• BITS Jobs (T1197): Background Intelligent Transfer Service (BITS) is a native mechanism used by legitimate applications to use a system’s idle bandwidth to retrieve files without disrupting other applications. Commands are executed using bitsadmin to create a BITS job and configure it to download a remote payload.
• Ingress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples. These scenarios are used for each stage of the malware delivered in these attacks.
• Masquerading: Match Legitimate Name or Location (T1036.005): Execute an AttackIQ executable using the name of a legitimate Microsoft application.
• Hijack Execution Flow: DLL Side-Loading (T1547.002): Bundles a DLL with a Windows executable that is susceptible to DLL Side-Loading to execute actor code.

(Click for Larger)

This stage emulates the initial discovery activities carried out by Truebot. The malware will seek to obtain information from the local system and active processes through Native API calls. Next, Truebot will attempt to identify the security software installed on the system, the current time, the network configuration, and the hostname. This data is then sent to the actor’s C2 server using HTTP POST requests.

• System Information Discovery (T1082): This scenario will be called RtlGetVersion(Ntdll) Windows API to enumerate system information.
• Process Discovery (T1057): The Windows API is used to receive a list of running processes by calling CreateToolhelp32Snapshot and iterating through each process object with Process32FirstW and Process32NextW.
• Security Software Discovery (T1518.001): A PowerShell script is executed to determine which software has been installed as an AntiVirusProduct class.
• System Time Discovery (T1124): The scenario identifies the time and time zone of the compromised system through the net time command.
• System Network Configuration Discovery (T1016): The network configuration of the asset is collected using standard Windows utilities like ipconfig, arp, route, and nltest.
• Application Layer Protocol: Web Protocols (T1071.001): This scenario emulates the HTTP requests made during Truebot’s initial command and control activity. The malware makes an HTTP POST request to an AttackIQ server that mimics the URL format and initial profiling data sent by a real infection.

(Click for Larger)

After exfiltration of the system profiling data, Truebot will continue with the download and execution of the second stage payload known as FlawedGrace. This payload can be executed by either reflective DLL injection or by injecting shellcode into the memory of another running process. Once FlawedGrace is running, it will achieve persistence by creating a scheduled task.

• Reflective DLL Injection (T1620): This scenario takes a default AttackIQ DLL and loads it into the memory space of its own process in order to execute the desired DLL function.
• Process Injection (T1055): This scenario injects a DLL file into another running process and validates if a canary file can be created. The scenario will run using the Load Library and CreateRemoteThread technique, with the default AttackIQ DLL to be injected into the default AttackIQ binary.
• Scheduled Task/Job: Scheduled Task (T1053.005): This scenario creates a new scheduled task using the schtasks utility.

(Click for Larger)

FlawedGrace then performs its own set of discovery commands to gain further intelligence about the infected environment. Some of the same information is collected a second time but this time with additional details about the local administrator accounts, network configurations, devices connected to the infected host, and security software installed as the system’s anti-virus.

• System Information Discovery (T1082): The native systeminfo command is executed to retrieve all of the Windows system information.
• System Owner / User Discovery (T1033): Live off the land by running whoami and users to gain details about the currently available accounts and permission groups.
• Permission Groups Discovery: Local Groups (T1069.001): The actor is interested in finding out the memberships of privileged local groups like Remote Desktop Users and Local Administrators. They accomplish this by executing net localgroup lookups.
• Windows Management Instrumentation (WMI) (T1047): WMI is a native Windows administration feature that provides a method for accessing Windows system components. This scenario executes the computersystem get domain command to retrieve the host’s connected Active Directory domain.
• Peripheral Device Discovery (T1120): This scenario retrieves information about systems peripherals such as logical drives, physical memory, network cards through the execution of commands and binaries.
• Security Software Discovery (T1518.001): A native Microsoft Windows WMIC (Windows Management Instrumentation Command-line) is executed to retrieve information regarding the installed antivirus product on the local system.

(Click for Larger)

In the last stage, the attackers will deploy Cobalt Strike in order to collect credentials, move laterally, ensure persistence, and exfiltrate collected data.

The payload is then injected into memory by Truebot, and it will seek to obtain valid credentials by performing a memory dump of the LSASS process. Next, Cobalt Strike will attempt to move laterally through multiple techniques, such as the creation of local admin accounts to achieve Pass the Hash alternate authentication, or through remote service session hijacking, specifically using Remote Desktop Protocol (RDP) or Secure Shell Protocol (SSH).

• Create Account: Local Account (T1136.001): Actors create a new account using net user.
• OS Credential Dumping: LSASS Memory (T1003.001): LSASS memory is dumped to disk by creating a minidump of the lsass.exe process. This process is used for enforcing security policy on the system and contains many privileged tokens and accounts that are targeted by threat actors.
• Remote Services: Remote Desktop Protocol (T1021.001): Use common credentials to attempt to remote access another Windows system using the native Remote Desktop Protocol (RDP) connection.
• Remote Service Session Hijacking: SSH Hijacking (T1563.001): This scenario attempts to open a remote shell and execute commands in computers using Secure Shell Protocol (SSH)

Detection and Mitigation Opportunities

With so many different techniques being used by threat actors, it can be difficult to know which to prioritize for prevention and detection assessment. AttackIQ recommends first focusing on the following techniques emulated in our scenarios before moving on to the remaining techniques.

1. Review CISA’s Patching and Detection Recommendations

CISA has provided a significant number of recommendations for the best ways to defend yourself from these and similar attacks. AttackIQ highly recommends reviewing their signatures and adapting to your environment first to see if you have any existing impact before reviewing the results from the attack graphs.

2. Process Injection (T1055), DLL Side-Loading (T1547.002), and Reflective Code Loading (T1620)

Many of the malware families used by TA505 are using techniques that obscure the true source of malicious activity. By either injecting into another process, using side-loading to load malicious code into a legitimate process, or reflectively load code into a process, actors try to conceal the execution of malicious payloads to hide in normal system operating noise or abuse overzealous whitelisting:

2a. Detection

Searching for common processes that are performing uncommon actions can help identify when a process has been compromised. It would be uncommon for these processes to be executing additional process or performing discovery techniques. You can look for similar activity using a signature like:

Parent Process Name CONTAINS (‘explorer.exe’ OR ‘svchost.exe’)
Command Line CONTAINS (‘set’ OR ‘whoami’ OR ‘ping’ OR ‘dir’)

2b. Mitigation

• M1040 – Behavior Prevention on Endpoint
• M1026 – Privileged Account Management

Wrap-up

In summary, this attack graph will help organizations evaluate security and incident response processes and support the improvement of your security control posture against a highly prolific and sophisticated cybercriminal. With data generated from continuous testing and use of these attack graphs, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a known and dangerous threat.

AttackIQ stands at the ready to help security teams implement this attack graph and other aspects of the AttackIQ Security Optimization Platform, including through our fully managed service, AttackIQ Ready!, and our co-managed security service, AttackIQ Enterprise.