TrueBot Cyber Attack Demo

0:00 welcome to the Juniper threat Labs

0:02 attack demo series today's subject is

0:04 truebot malware

0:06 because the means vary by which truebot

0:08 is delivered this video will demonstrate

0:11 a common Threat Vector used by malicious

0:13 threat actors to attack and compromise

0:15 victim systems

0:17 but first let's begin with an

0:19 introduction to truebot malware

0:22 truebot was created by Russian hacking

0:24 group silence but its use is also linked

0:26 to other collaborative or overlapping

0:28 malicious cyber criminal groups ta-505

0:31 also known as evil core Finn 11 and the

0:34 club ransomware gang truebot is today

0:37 primarily a malware downloader as such

0:39 it is a quote unquote first stage module

0:42 mainly used for downloading additional

0:44 malware including flawed Grace Cobalt

0:47 strike a data exfiltration tool called

0:49 teleport and the raspberry Robin worm

0:51 which is itself linked with Distributing

0:54 truebot bumblebee iced ID and even clop

0:57 ransomware

0:58 truvot adds the victim's system to

1:00 botnets and it receives command and

1:02 control instructions from its Master to

1:04 download and execute several file types

1:08 including.xc.dll batch files Powershell

1:10 scripts and Shell Code

1:12 the master can also issue a bot command

1:15 to terminate or kill truebot

1:17 truebot is very versatile making a

1:19 little wonder that there's been a surge

1:21 of truebot malicious Activity The klop

1:23 ransomware Gang who were involved in

1:25 recent hacks of a move I.T file transfer

1:27 software program vulnerability uses

1:30 truebot in its toolkit elsewhere truebot

1:32 was used in the initial stage of an

1:34 attack that resulted in the wiping of

1:36 Master boot records or mbrs in that

1:39 infection truebot loaded flawed Grace

1:41 that made a series of registry and

1:43 principler mods escalating privileges in

1:45 establishing persistence truebot later

1:48 loaded Cobalt strike then following

1:50 lateral movement across the network and

1:52 deployment of flawed Grace the threat

1:54 actors deployed the MBR killer wiper on

1:56 all the other accessed hosts before

1:59 triggering a reboot at which point all

2:01 the hosts were dead in the water

2:02 unusable all this began with truebot

2:06 truvot was also used by threat actors

2:08 who exploited on Netflix auditor

2:10 vulnerability cve

2:13 2022-31199 still the primary threat

2:16 factor used to trick would-be victims

2:18 into installing truebot is through

2:20 phishing emails with malicious URLs in

2:22 them so that is the truebot example you

2:25 are about to see

2:26 foreign

2:27 this is a typical truebot attack chain

2:29 it begins with a phishing email the

2:31 phishing email includes a malicious URL

2:33 which when clicked typically leads to a

2:35 drive-by download of the truebot

2:37 executable in some cases the first

2:40 malicious URL Link in the email message

2:42 redirects would-be victims to a second

2:44 malicious URL before the drive by

2:47 download in our example however there is

2:49 but a single email having a single

2:51 malicious URL now with the background on

2:54 truebot malware out of the way next up

2:56 in this video Juniper threat Labs

2:58 demonstrates this attack let's get

3:00 started we're demonstrating this attack

3:02 in a contained environment to show how

3:04 it works the victim here received a

3:07 phishing email which contains a

3:09 malicious URL phishing emails are a kind

3:11 of social engineering technique used by

3:13 attackers who are trying to trick would

3:15 be victims into doing something in this

3:17 case tricking them into clicking that

3:19 URL once the victim clicks the URL the

3:22 browser is opened and the malware is

3:24 downloaded

3:25 though the naming varies from one

3:27 truebot infection to another in this

3:30 case the malware is named document

3:32 underscore 5 underscore June underscore

3:36 54687.exe while truebot is an executable

3:39 the malware authors are clever and that

3:41 they've used a PDF icon to make it

3:43 appear to the victim that he or she

3:45 downloaded a PDF this is a common

3:47 technique used by thread actors but as

3:49 soon as the victim opens it the malware

3:52 is executed and it's game over

3:54 though the malware displays a message

3:56 indicating to the victim that the

3:57 document is damaged and cannot be

3:59 repaired you and I both know that this

4:02 was no document but was instead the

4:04 malicious truebot program

4:06 so at this point the system is already

4:07 infected the chewbot executable is now

4:10 running in memory under process name

4:11 runtime broker.xc the bot is just

4:14 waiting for its Master to send commands

4:16 for it to execute which given that

4:19 truebot is a first stage malware

4:20 downloader the instructions typically

4:22 involve downloading additional malware

4:24 as we've seen in recent truebot news

4:27 we can verify the communication of

4:29 truebot to the master using Wireshark

4:35 for this variant of truebot the command

4:37 and control server is midnightwall.com

4:45 as shown the system performs a DNS

4:47 request

4:49 before establishing a TCP connection to

4:51 the server at IP address

4:55 46.161.48.128 on Port 443 once the TCP

4:59 connection is established the malware

5:00 sets up a TLS connection to secure its

5:02 command and control communication

5:05 let's now look and see whether or not

5:07 this attack works as successfully with a

5:09 juniper SRX firewall enhanced with

5:11 protection from Juniper's cloud-based

5:13 Advanced anti-malware solution Juniper

5:16 ATP

5:17 for the demo Juniper threat Labs is

5:19 using the following setup we have a vsrx

5:21 pictured in the center the vsrx is a

5:24 virtual SRX firewall providing network

5:26 security protection its purpose is to

5:28 inspect Network traffic and with the

5:30 assistance of juniper ATP Cloud to

5:32 detect malware like truebot in addition

5:35 to the virtual firewall and cloud-based

5:37 protections we are using Juniper

5:38 security director which is a centralized

5:40 management system security director

5:43 facilitates our configuring and

5:45 monitoring of the vsrx firewall and we

5:47 are using Juniper's policy enforcer as

5:49 well

5:50 Juniper's policy enforcer enforces

5:53 security policies and endpoints and

5:55 ensures they comply with corporate

5:57 security standards pictured as well are

5:59 several Windows workstations Each of

6:01 which is connected to the vsrx and

6:04 finally there is a Ubuntu Server which

6:06 is acting as the malware download server

6:09 before we proceed and run the truebot

6:11 attack simulation with protection

6:13 provided by Juniper's connected Security

6:15 Solutions let's first take a look at the

6:17 threat prevention policy that we've set

6:20 up on our security director and applied

6:21 to the vsrx

6:23 to access the policy we'll navigate to

6:26 the configure tab then we select threat

6:29 prevention and policies

6:35 as you can see we already have an

6:37 existing policy in place let's further

6:39 inspect the protections being enforced

6:41 by the applied policy

6:43 for this demo our policy is configured

6:45 to block command and control traffic at

6:47 Threat Level 8 and above we've also set

6:49 it up to block infected hosts at Threat

6:51 Level 8 and above additionally we have

6:54 configured our policy to use ATP Cloud

6:56 for malware detection and as you can see

6:58 we've elected to scan both HTTP

7:01 downloads and email attachments

7:03 finally we've chosen to block any and

7:05 all threats rated at level 7 and above

7:08 this threat prevention policy applied to

7:11 the Juniper vsrx firewall is a critical

7:13 component of our defenses protecting our

7:15 systems against malware related attacks

7:17 including truebot it allows us to detect

7:20 and block malicious traffic as well as

7:21 the activity of potentially infected

7:23 hosts which will then prevent the spread

7:25 of malware throughout our Network in the

7:27 event one of our systems gets

7:29 compromised acting as would-be malicious

7:31 threat actors for the demo we now

7:33 connect to the victim system via RDP

7:36 foreign

7:39 we will first confirm that we have

7:41 internet connectivity so we visit

7:43 Wikipedia after all without an internet

7:45 connection the victim's PC would be

7:47 unable to download the truebot malware

7:54 as shown earlier in this video the

7:56 attack begins with this phishing email

7:58 that includes a malicious URL once the

8:01 victim clicks on it it immediately opens

8:03 the browser which then tries to download

8:04 the executable as you had seen earlier

8:07 but this time because Juniper

8:09 protections are in place the browser

8:11 shows a message that is being prevented

8:13 from downloading the military's file we

8:15 can also verify this through Wireshark

8:17 here we can show the same message as the

8:19 one shown in the browser ultimately the

8:22 good news is that Juniper's connected

8:24 Security Solutions block truebot before

8:26 it was able to get a foothold on the

8:27 would-be victims PC and before it was

8:30 able to add this PC to one of its

8:31 botnets

8:37 going back to our Juniper security

8:39 director we can find more details about

8:41 this failed Attack under the hdb file

8:44 download tab we see information about

8:46 the detected malware including the

8:48 threat level in this case level 10 for

8:50 truebot the malicious file hash value

8:52 and the URL associated with the malware

8:56 we can also click on the hash to find

8:58 out more details these details include a

9:01 static analysis of the malware to show

9:03 you different types of information

9:04 collected by analyzing the static

9:06 properties of the file

9:09 [Music]

9:19 and behavior analysis which includes

9:22 information collected as a result of

9:24 running the malware in a sandbox

9:31 we can see network activity and

9:33 behavioral details including processes

9:36 that would have been spawned as well as

9:37 information about this malicious threat

9:39 related to the miter attack framework

9:42 it's important to note that Juniper ATP

9:45 identifies whether a file is a threat or

9:47 not using machine learning as well as

9:49 the information just discussed thus

9:51 without the need for any signatures

9:54 next and again using Juniper security

9:56 director this time we'll look at the ATP

9:59 Cloud host tab here we can show you that

10:02 the targeted victim system has been

10:03 added to the infected host feed in this

10:06 case not because it was infected but

10:08 because the threat level of the attack

10:09 was 10. the which well exceeded the

10:11 level 8 threshold via set in Juniper

10:13 policy Enforcer

10:15 for the time being the host is

10:17 disconnected from the network and our

10:19 security admin can click on that house

10:21 to learn why it was blocked in doing so

10:23 he or she finds that it was because of

10:25 an attempt by the host's user to

10:27 download a malicious file

10:35 to verify that the host no longer has

10:37 internet connectivity we'll try to RDP

10:40 to it as before and then try out

10:42 successfully as you'll see to Ping it

11:05 thank you

11:13 once the network Security administrator

11:15 is sure that the host is free from

11:17 infection we will want to restore the

11:19 infected system back to the network to

11:21 do so we go to the security director and

11:23 click on the infected host

11:25 to the right of the investigation status

11:27 we will select resolved fixed

11:31 afterwards the host status is now clean

11:35 and in just a few seconds the host is

11:37 connected once again to the network and

11:39 able to operate as before

11:42 [Music]

11:51 we can verify that the host is back

11:53 online by picking this PC once again

12:03 thank you

12:06 and we can RDP to it successfully this

12:08 time as well

12:18 finally for good measure we'll make sure

12:20 that the host can browse the internet

12:27 that completes our demo of truebot

12:29 malware check out more videos from the

12:31 Juniper threat Labs attack demo series

12:33 by visiting juniper.net thanks for

12:35 watching