It’s a must for threat actors to cover their tracks, and Truebot does just that.
Distributed via a Traffic Distribution System (TDS), a Truebot intrusion began with several page redirects that ended with dropping a Master Boot Record (MBR) killer wiper onto a victim’s computer. The final payload? The users’ data got exfiltrated to a remote server and erased from the source. Worse, while some victims were prompted to reboot, the more unfortunate were left with inoperable systems.1
Jumping off a published list of IoCs (three domains and five IP addresses, to be exact),2 the TIP researchers found:
- Three IP addresses that hosted the domains identified as IoCs, two of which were detected as malicious
- A publicly viewable registrant email address in the historical WHOIS record of a domain tagged as an IoC
- More than 7,000 domains that shared one IoC’s registrant email address, four of which were detected as malware hosts
- 200+ domains hosted on the same dedicated IP addresses some of the IoCs resolved to
Download a sample of the threat research materials now or contact us to access the complete set of research materials.
-  https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/
-  https://otx.alienvault.com/pulse/64877fcf823431cc11354174