TrueBot Cyber Attack Demo

Juniper Threat Labs Security
Title slide from the demo presentation is shown. It reads, “TrueBot Attack Demo” in white type on black background.

How to avoid falling victim to surging TrueBot ransomware attacks.

Malicious threat actors can’t stop and won’t stop. In this episode, Juniper Threat Labs discusses TrueBot malware, a common threat vector used by cyber criminals to attack and compromise systems. (Tip #1: Never ever download a “PDF” from an untrusted source.)

Show more

You’ll learn

  • The origins of TrueBot malware, and how it infects systems

  • How Juniper anti-malware solutions can protect your network

Who is this for?

Security Professionals Network Professionals


0:00 welcome to the Juniper threat Labs

0:02 attack demo series today's subject is

0:04 truebot malware

0:06 because the means vary by which truebot

0:08 is delivered this video will demonstrate

0:11 a common Threat Vector used by malicious

0:13 threat actors to attack and compromise

0:15 victim systems

0:17 but first let's begin with an

0:19 introduction to truebot malware

0:22 truebot was created by Russian hacking

0:24 group silence but its use is also linked

0:26 to other collaborative or overlapping

0:28 malicious cyber criminal groups ta-505

0:31 also known as evil core Finn 11 and the

0:34 club ransomware gang truebot is today

0:37 primarily a malware downloader as such

0:39 it is a quote unquote first stage module

0:42 mainly used for downloading additional

0:44 malware including flawed Grace Cobalt

0:47 strike a data exfiltration tool called

0:49 teleport and the raspberry Robin worm

0:51 which is itself linked with Distributing

0:54 truebot bumblebee iced ID and even clop

0:57 ransomware

0:58 truvot adds the victim's system to

1:00 botnets and it receives command and

1:02 control instructions from its Master to

1:04 download and execute several file types

1:08 including.xc.dll batch files Powershell

1:10 scripts and Shell Code

1:12 the master can also issue a bot command

1:15 to terminate or kill truebot

1:17 truebot is very versatile making a

1:19 little wonder that there's been a surge

1:21 of truebot malicious Activity The klop

1:23 ransomware Gang who were involved in

1:25 recent hacks of a move I.T file transfer

1:27 software program vulnerability uses

1:30 truebot in its toolkit elsewhere truebot

1:32 was used in the initial stage of an

1:34 attack that resulted in the wiping of

1:36 Master boot records or mbrs in that

1:39 infection truebot loaded flawed Grace

1:41 that made a series of registry and

1:43 principler mods escalating privileges in

1:45 establishing persistence truebot later

1:48 loaded Cobalt strike then following

1:50 lateral movement across the network and

1:52 deployment of flawed Grace the threat

1:54 actors deployed the MBR killer wiper on

1:56 all the other accessed hosts before

1:59 triggering a reboot at which point all

2:01 the hosts were dead in the water

2:02 unusable all this began with truebot

2:06 truvot was also used by threat actors

2:08 who exploited on Netflix auditor

2:10 vulnerability cve

2:13 2022-31199 still the primary threat

2:16 factor used to trick would-be victims

2:18 into installing truebot is through

2:20 phishing emails with malicious URLs in

2:22 them so that is the truebot example you

2:25 are about to see

2:26 foreign

2:27 this is a typical truebot attack chain

2:29 it begins with a phishing email the

2:31 phishing email includes a malicious URL

2:33 which when clicked typically leads to a

2:35 drive-by download of the truebot

2:37 executable in some cases the first

2:40 malicious URL Link in the email message

2:42 redirects would-be victims to a second

2:44 malicious URL before the drive by

2:47 download in our example however there is

2:49 but a single email having a single

2:51 malicious URL now with the background on

2:54 truebot malware out of the way next up

2:56 in this video Juniper threat Labs

2:58 demonstrates this attack let's get

3:00 started we're demonstrating this attack

3:02 in a contained environment to show how

3:04 it works the victim here received a

3:07 phishing email which contains a

3:09 malicious URL phishing emails are a kind

3:11 of social engineering technique used by

3:13 attackers who are trying to trick would

3:15 be victims into doing something in this

3:17 case tricking them into clicking that

3:19 URL once the victim clicks the URL the

3:22 browser is opened and the malware is

3:24 downloaded

3:25 though the naming varies from one

3:27 truebot infection to another in this

3:30 case the malware is named document

3:32 underscore 5 underscore June underscore

3:36 54687.exe while truebot is an executable

3:39 the malware authors are clever and that

3:41 they've used a PDF icon to make it

3:43 appear to the victim that he or she

3:45 downloaded a PDF this is a common

3:47 technique used by thread actors but as

3:49 soon as the victim opens it the malware

3:52 is executed and it's game over

3:54 though the malware displays a message

3:56 indicating to the victim that the

3:57 document is damaged and cannot be

3:59 repaired you and I both know that this

4:02 was no document but was instead the

4:04 malicious truebot program

4:06 so at this point the system is already

4:07 infected the chewbot executable is now

4:10 running in memory under process name

4:11 runtime broker.xc the bot is just

4:14 waiting for its Master to send commands

4:16 for it to execute which given that

4:19 truebot is a first stage malware

4:20 downloader the instructions typically

4:22 involve downloading additional malware

4:24 as we've seen in recent truebot news

4:27 we can verify the communication of

4:29 truebot to the master using Wireshark

4:35 for this variant of truebot the command

4:37 and control server is

4:45 as shown the system performs a DNS

4:47 request

4:49 before establishing a TCP connection to

4:51 the server at IP address

4:55 on Port 443 once the TCP

4:59 connection is established the malware

5:00 sets up a TLS connection to secure its

5:02 command and control communication

5:05 let's now look and see whether or not

5:07 this attack works as successfully with a

5:09 juniper SRX firewall enhanced with

5:11 protection from Juniper's cloud-based

5:13 Advanced anti-malware solution Juniper

5:16 ATP

5:17 for the demo Juniper threat Labs is

5:19 using the following setup we have a vsrx

5:21 pictured in the center the vsrx is a

5:24 virtual SRX firewall providing network

5:26 security protection its purpose is to

5:28 inspect Network traffic and with the

5:30 assistance of juniper ATP Cloud to

5:32 detect malware like truebot in addition

5:35 to the virtual firewall and cloud-based

5:37 protections we are using Juniper

5:38 security director which is a centralized

5:40 management system security director

5:43 facilitates our configuring and

5:45 monitoring of the vsrx firewall and we

5:47 are using Juniper's policy enforcer as

5:49 well

5:50 Juniper's policy enforcer enforces

5:53 security policies and endpoints and

5:55 ensures they comply with corporate

5:57 security standards pictured as well are

5:59 several Windows workstations Each of

6:01 which is connected to the vsrx and

6:04 finally there is a Ubuntu Server which

6:06 is acting as the malware download server

6:09 before we proceed and run the truebot

6:11 attack simulation with protection

6:13 provided by Juniper's connected Security

6:15 Solutions let's first take a look at the

6:17 threat prevention policy that we've set

6:20 up on our security director and applied

6:21 to the vsrx

6:23 to access the policy we'll navigate to

6:26 the configure tab then we select threat

6:29 prevention and policies

6:35 as you can see we already have an

6:37 existing policy in place let's further

6:39 inspect the protections being enforced

6:41 by the applied policy

6:43 for this demo our policy is configured

6:45 to block command and control traffic at

6:47 Threat Level 8 and above we've also set

6:49 it up to block infected hosts at Threat

6:51 Level 8 and above additionally we have

6:54 configured our policy to use ATP Cloud

6:56 for malware detection and as you can see

6:58 we've elected to scan both HTTP

7:01 downloads and email attachments

7:03 finally we've chosen to block any and

7:05 all threats rated at level 7 and above

7:08 this threat prevention policy applied to

7:11 the Juniper vsrx firewall is a critical

7:13 component of our defenses protecting our

7:15 systems against malware related attacks

7:17 including truebot it allows us to detect

7:20 and block malicious traffic as well as

7:21 the activity of potentially infected

7:23 hosts which will then prevent the spread

7:25 of malware throughout our Network in the

7:27 event one of our systems gets

7:29 compromised acting as would-be malicious

7:31 threat actors for the demo we now

7:33 connect to the victim system via RDP

7:36 foreign

7:39 we will first confirm that we have

7:41 internet connectivity so we visit

7:43 Wikipedia after all without an internet

7:45 connection the victim's PC would be

7:47 unable to download the truebot malware

7:54 as shown earlier in this video the

7:56 attack begins with this phishing email

7:58 that includes a malicious URL once the

8:01 victim clicks on it it immediately opens

8:03 the browser which then tries to download

8:04 the executable as you had seen earlier

8:07 but this time because Juniper

8:09 protections are in place the browser

8:11 shows a message that is being prevented

8:13 from downloading the military's file we

8:15 can also verify this through Wireshark

8:17 here we can show the same message as the

8:19 one shown in the browser ultimately the

8:22 good news is that Juniper's connected

8:24 Security Solutions block truebot before

8:26 it was able to get a foothold on the

8:27 would-be victims PC and before it was

8:30 able to add this PC to one of its

8:31 botnets

8:37 going back to our Juniper security

8:39 director we can find more details about

8:41 this failed Attack under the hdb file

8:44 download tab we see information about

8:46 the detected malware including the

8:48 threat level in this case level 10 for

8:50 truebot the malicious file hash value

8:52 and the URL associated with the malware

8:56 we can also click on the hash to find

8:58 out more details these details include a

9:01 static analysis of the malware to show

9:03 you different types of information

9:04 collected by analyzing the static

9:06 properties of the file

9:09 [Music]

9:19 and behavior analysis which includes

9:22 information collected as a result of

9:24 running the malware in a sandbox

9:31 we can see network activity and

9:33 behavioral details including processes

9:36 that would have been spawned as well as

9:37 information about this malicious threat

9:39 related to the miter attack framework

9:42 it's important to note that Juniper ATP

9:45 identifies whether a file is a threat or

9:47 not using machine learning as well as

9:49 the information just discussed thus

9:51 without the need for any signatures

9:54 next and again using Juniper security

9:56 director this time we'll look at the ATP

9:59 Cloud host tab here we can show you that

10:02 the targeted victim system has been

10:03 added to the infected host feed in this

10:06 case not because it was infected but

10:08 because the threat level of the attack

10:09 was 10. the which well exceeded the

10:11 level 8 threshold via set in Juniper

10:13 policy Enforcer

10:15 for the time being the host is

10:17 disconnected from the network and our

10:19 security admin can click on that house

10:21 to learn why it was blocked in doing so

10:23 he or she finds that it was because of

10:25 an attempt by the host's user to

10:27 download a malicious file

10:35 to verify that the host no longer has

10:37 internet connectivity we'll try to RDP

10:40 to it as before and then try out

10:42 successfully as you'll see to Ping it

11:05 thank you

11:13 once the network Security administrator

11:15 is sure that the host is free from

11:17 infection we will want to restore the

11:19 infected system back to the network to

11:21 do so we go to the security director and

11:23 click on the infected host

11:25 to the right of the investigation status

11:27 we will select resolved fixed

11:31 afterwards the host status is now clean

11:35 and in just a few seconds the host is

11:37 connected once again to the network and

11:39 able to operate as before

11:42 [Music]

11:51 we can verify that the host is back

11:53 online by picking this PC once again

12:03 thank you

12:06 and we can RDP to it successfully this

12:08 time as well

12:18 finally for good measure we'll make sure

12:20 that the host can browse the internet

12:27 that completes our demo of truebot

12:29 malware check out more videos from the

12:31 Juniper threat Labs attack demo series

12:33 by visiting thanks for

12:35 watching

Show more