Since August 2022, Talos has seen an increase in infections of Truebot (aka Silence.Downloader) malware. Truebot was first identified in 2017 and researchers have linked it to a threat actor that is responsible for several high-impact attacks on financial institutions in several countries around the world.
Recently, the attackers have shifted from using malicious emails as their primary delivery method to other techniques. In August, Talos saw a small number of attacks that exploited a recent remote code execution vulnerability in Netwrix auditor. In October, a larger number of infections leveraged Raspberry Robin, a recent malware spread through USB drives, as a delivery vector.
Post-compromise activity included data theft and the execution of Clop ransomware. While investigating one of these attacks, Talos found what seems to be a fully featured custom data exfiltration tool, which they are calling “Teleport,” that was extensively used to steal information during the attack.