In this live demo, SCYTHE Lead Adversary Emulation Engineer Trey Bilbrey and Detection Engineer Tyler Casey will delve into the intricacies of TrueBot malware, a potent tool often wielded as an initial access vector by cyber threat actors.
Traditionally gaining entry through phishing attempts, TrueBot has also exploited vulnerabilities like CVE-2022-31199 (Netwrix Auditor Vulnerability) for initial access; notably, there has been a surge in observed TrueBot activity, particularly with its deployment by the CLOP Ransomware Gang.
Throughout our demonstration, we'll explore the malware's behaviors, including host and network discovery, simulated archival of sensitive documents, data exfiltration, and Command and Control (C2) communication for payload retrieval. To heighten our understanding, we'll execute a simulated campaign, analyzing the resulting malicious activity and identifying malicious behaviors using various detection techniques, including spotting suspicious LOLBAS commands, compressed archive creation, PowerShell Base64 encoding, BITSADMIN file downloads, and DNS queries to known C2 servers. This comprehensive examination aims to enhance our awareness of TrueBot malware and bolster our defenses against its tactics.