TrueBot
TrueBot is a malware family used as a first-stage downloader and command-and-control malware. The provided content states it can collect system information and take screenshots, and has been used to download additional payloads including FlawedGrace and Cobalt Strike Beacon. It is associated with TA505/FIN11, also tracked as GOLD TAHOE and linked in the reporting to Clop operations; Microsoft also linked TrueBot deployment in PaperCut intrusions to the Clop-associated actor Lace Tempest. Since late 2018, TA505/GOLD TAHOE has distributed TrueBot alongside other malware such as Get2, SDBbot, GraceWire, and FlawedAmmy to facilitate follow-on intrusion activity including lateral movement. The content also links TrueBot to exploitation chains involving public-facing enterprise software: FBI/CISA reporting identified download and execution of TrueBot during exploitation of PaperCut MF/NG CVE-2023-27350, and Cisco Talos linked CVE-2022-31199 in Netwrix Auditor to TrueBot activity that eventually led to Clop ransomware. Reporting in the content further states that after attackers gained access to vulnerable servers, they deployed TrueBot, and that TrueBot activity has been observed infecting networks in the United States and Canada. Mentioned indicators include a file identified as TrueBot named ld.txt with SHA-256 c0f8aeeb2d11c6e751ee87c40ee609aceb1c1036706a5af0d3d78738b6cc4125. The content also notes traces of TrueBot in infrastructure discussed alongside ShadowSyndicate and multiple ransomware families, but cautions that subnet overlap alone is not definitive attribution.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
4 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory (CSA) in response to the active exploitation of CVE-2023-27350. This vulnerability occurs in certain versions of PaperCut NG and PaperCut MF and enables an unauthenticated actor to execute malicious code remotely without credentials. | The FBI also identified information relating to the download and execution of command and control (C2) malware such as DiceLoader, TrueBot, and Cobalt Strike Beacons, although it is unclear at which stage in the attack these tools were executed.
In late January 2023, the CL0P ransomware group launched a campaign using a zero-day vulnerability, now catalogued as CVE-2023-0669, to target the GoAnywhere MFT platform.
CVE-2022-31199 Cisco Talos was able to link CVE-2022-31199, a vulnerability in Netwrix Auditor, to Truebot activity (and eventually Clop ransomware)... To our knowledge, there is no public exploit for this vulnerability. | “Cisco Talos was able to link CVE-2022-31199... to Truebot activity (and eventually Clop ransomware)”
Once they gained access to the server, they deployed the TrueBot malware, which has also been previously linked to the Clop ransomware operation.
Groups observed using it
5 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The FBI also identified information relating to the download and execution of command and control (C2) malware such as DiceLoader, TrueBot, and Cobalt Strike Beacons, although it is unclear at which stage in the attack these tools were executed.
Truebot is a first-stage downloader module that can collect system information and take screenshots... In the case of TA505, Truebot has been used to download FlawedGrace or Cobalt Strike beacons.
Truebot is a first-stage downloader module that can collect system information and take screenshots... In the case of TA505, Truebot has been used to download FlawedGrace or Cobalt Strike beacons.
Once they gained access to the server, they deployed the TrueBot malware, which has also been previously linked to the Clop ransomware operation.
Once they gained access to the server, they deployed the TrueBot malware, which has also been previously linked to the Clop ransomware operation.
Techniques & procedures
9 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniqueCVE-2023-27350 allows a remote actor to bypass authentication and conduct remote code execution on the affected installations of PaperCut... malicious actors exploited CVE-2023-27350 beginning in mid-April 2023.
Execution
1 techniqueAfter connecting to the C2 infrastructure, Truebot can be instructed to load shell code or DLLs, download additional modules [T1129], run them, or delete itself.
Privilege Escalation
1 techniqueStealth
2 techniquesAfter connecting to the C2 infrastructure, Truebot can be instructed to load shell code [T1055] or DLLs.
After connecting to the C2 infrastructure, Truebot can be instructed to load shell code or DLLs, download additional modules, run them, or delete itself [T1070].
Defense Impairment
1 techniqueSilence has used a valid certificate to sign their primary loader Silence.Downloader (aka TrueBot).
Collection
1 techniqueTruebot is a first-stage downloader module that can collect system information and take screenshots [T1113].
Command and Control
3 techniquesThe FBI also identified information relating to the download and execution of command and control (C2) malware such as DiceLoader, TrueBot, and Cobalt Strike Beacons... Associated with TrueBot C2... Associated with Cobalt Strike Beacon.
"Ultimately, Microsoft says a Cobalt Strike beacon was deployed..."
Legitimate remote management and maintenance (RMM) software was downloaded and executed on victim systems via commands issued through PaperCut’s print scripting interface... The FBI also identified information relating to the download and execution of command and control (C2) malware such as DiceLoader, TrueBot, and Cobalt Strike Beacons.
IOCs tracked for this family
45 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Named malware mentioned as appearing in the same subnets discussed; the content provides no additional technical description beyond this co-occurrence.
Botnet malware associated with ShadowSyndicate and linked to ransomware operations.
Truebot is a botnet malware known for infecting systems to establish a network of compromised machines, often used to deliver additional payloads or facilitate further attacks.
Post-exploitation malware deployed after initial access via PaperCut vulnerabilities; linked in reporting to the Clop ransomware operation.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.