Cybersecurity organizations have raised concerns about the emergence of new TrueBot malware variants. Presently, this upgraded threat is targeting companies in the United States and Canada, with the primary objective of extracting sensitive data from compromised systems.

The attackers behind these sophisticated assaults exploit a significant vulnerability (CVE-2022-31199) in the widely utilized Netwrix Auditor server and its associated agents.
This vulnerability grants unauthorized attackers the ability to execute malicious code with the SYSTEM user’s privileges, resulting in unregulated access to compromised systems. By exploiting this flaw, hackers gain unrestricted control over the hacked systems.

The TrueBot malware poses a significant threat to network security as it is employed for data theft and the propagation of ransomware. This malicious software is closely linked to cybercriminal collectives known as Silence and FIN11.

Having exploited the aforementioned vulnerability, the hackers proceed to install TrueBot. Through this initial breach, they gain entry to the targeted networks. Subsequently, the hackers deploy the FlawedGrace Remote Access Trojan (RAT) to enhance their level of control, establish a persistent presence on the compromised systems, and execute additional operations.

“The RAT maintains encrypted payloads within the registry for use during FlawedGrace’s execution phase. msiexec[.]exe and svchost[.]exe are command processes that allow FlawedGrace to establish a command and control (C2) connection to 92.118.36[.]199, for example, as well as load dynamic link libraries (DLLs) to carry out privilege escalation, according to the advisory. The tool can create scheduled tasks and inject payloads into these processes.”

TrueBot Malware Attacks

Following the initial breach, the attackers proceed to activate Cobalt Strike beacons within a few hours. These beacons serve to facilitate post-exploitation activities such as data theft and the installation of malware payloads.

Unlike earlier versions that relied primarily on malicious email attachments, the updated variants of the TrueBot malware utilize the CVE-2022-31199 vulnerability to gain initial access. This shift in tactics allows the perpetrators to exploit this specific vulnerability instead of relying solely on email-based transmission methods.

This strategic shift empowers the cyber threat actors to execute broader-scale attacks within infiltrated environments. It is worth noting that Netwrix Auditor is utilized by over 13,000 companies worldwide, including prominent organizations such as Airbus, Allianz, the UK NHS, and Virgin.

While the alert does not provide specific details about the targeted victims or the number of organizations affected by the TrueBot attacks, it emphasizes the significance of the threat posed by this malware variant.

The research also highlights the involvement of various post-compromise malware, such as IcedID and Bumblebee, as well as the Raspberry Robin and TrueBot malware in these attacks. Attackers can increase the impact of their destructive actions and reach more potential victims by using Raspberry Robin as a distribution platform.
The Silence and TA505 groups are actively targeting networks for financial gain. Therefore, it is crucial that businesses implement the recommended security measures to protect themselves.

To enhance protection against TrueBot malware and similar threats, enterprises should consider the following suggestions:

  • Update Netwrix Auditor: Organizations utilizing Netwrix Auditor should ensure their software is updated to version 10.5 or higher and apply relevant patches to address the CVE-2022-31199 vulnerability.
  • Implement multi-factor authentication (MFA): Employ MFA for all staff members and services to bolster security protocols.
  • Monitor for infiltration indicators (IOCs): Continuously monitor networks for signs of TrueBot infection. The provided warning includes tips for identifying and mitigating the impact of the attack.
  • Report incidents: If IOCs are detected or a TrueBot breach is suspected, organizations should promptly follow their incident response procedures as outlined in the alert. It is also important to notify CISA or the FBI regarding the incident.


Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.


About Rhyno Cybersecurity Services

Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.

Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.

This website uses cookies to improve your online experience. By continuing, we will assume that you are agreeing to our use of cookies. For more information, visit our Cookie Policy.

Privacy Preference Center