Overview

Truebot (aka Silence) is primarily a downloader associated with the threat actor group TA505. Recently there was a CISA alert Increased Truebot Activity Infects U.S. and Canada Based Networks which described ransomware/extortion activity associated with the use of Truebot.

References

Samples

Analysis

  • The binary uses an Adobe PDF icon possibly to trick victims into clicking it. It also displays a fake error message. "There was an error opening this document. The file is damaged and could not be repaired. Adobe Acrobat"
  • The binary is padded with a significant amount of junk code that is not relevant to its operation.
  • The main code has some checks for debugging tools and AV which if detected cause the malware to execute a deception process (calc.exe)
  • There are multiple anti-emulation techniques used including ...
    • Reading from a fake named pipe
    • Calling EraseTape
    • Checking for a valid code page with GetACP
    • Loading user32
    • Trying to open a random invalid file
  • The C2 host and URL path are encrypted using base64, urldecode, and RC4 with a hard coded key
    • essadonio.com
    • /538332[.]php
  • A hard coded mutex OrionStartWorld#666 is used to ensure only one copy of the malware is running
  • A GUID is generated for the victim and stored in a randomly named file with the extension .JSONMSDN in the %APPDATA% directory. This GUID is also used in the C2 communications.
  • A list of processes running on the host is collected and combined with the GUID. It is base64 encoded then sent to the C2 server in a POST request.
  • The C2 has the option of sending the following commands
    • LSEL - delete yourself and exit
    • TFOUN - array of commands
      • EFE - download payload, decrypt with RC4 (hard coded key), and execute PE
      • S66 - download, decrypt with RC4 (hard coded key),and inject shellcode into cmd.exe
      • Z66 - download, decrypt with RC4 (hard coded key),and run shellcode