top of page

Increasing TrueBot Malware Activity

Updated: Jul 25, 2023

CISA, FBI, MS-ISAC, and CCCS Warn of Increasing Truebot Malware Activity Targeting US and Canadian Organizations through Netwrix Auditor.


CISA, the FBI, the MS-ISAC, and the Canadian Centre for Cyber Security (CCCS) have issued a joint advisory to warn about the increase in Truebot malware activity. New variants of the malware are being used to target organizations in the US and Canada through exploiting a remote code execution (RCE) vulnerability in the Netwrix Auditor application to gain initial access by exploiting CVE-2022-31199.

More than 13,000 organizations across over 100 countries use the software, making them potential targets of such attacks. The agencies have published details on detecting the malware and mitigating its effects, including applying patches for the Netwrix Auditor vulnerability, mandating MFA, and using IOCs to hunt for signs of malicious activity.

Truebot is primarily designed to steal sensitive information from victims' systems for financial gain. The malware was previously used by CI0p and Silence cybercriminal groups to collect and exfiltrate information from victims. While there is no information on the number of impaired victims, researchers have warned about Truebot activity after discovering the Netwrix Auditor vulnerability in mid-2022. In December 2022, Cisco Talos researchers identified a small number of cases where Truebot was executed by exploiting the vulnerability. DEV-0950 also started using Raspberry Robin malware to deliver Truebot alongside CI0p ransomware onto compromised systems mainly in Mexico, Brazil, and Pakistan.


  • Malware Campaigns


  • Apply patches to CVE-2022-31199

  • Update to Netwrix Auditor to version 10.5

  • Netwrix officially recommends systems running Netwrix Auditor should not be expose to the internet

Incident Response

  • Quarantine or take offline potentially affected hosts.

  • Collect and review artifacts such as running processes/services, unusual authentications, and recent network connections.

  • Provision new account credentials

  • Reimage compromised host


1. Truebot’s Activity Spikes, U.S and Canada Authorities Issue Warning. (2023, July 7). Cyware Labs.

2. Netwrix Statement on CVE-2022-31199 (2023, July 6) Frisco, Texas,


We're Here to Assist You

CyberForce|Q has provided information security services for over 27 years. We architect and implement quantifiable cybersecurity programs for organizations of all sizes – with proven results. CyberForce|Q provides a wide range of services to a diverse group of organizations including educational organizations, government entities, healthcare entities, manufacturing enterprises, and both public and private organizations.

We can assist you in being prepared.

30 views0 comments


bottom of page