Threat group Silence has been spotted infecting an increasing number of devices using Truebot malware.
The findings come from Cisco Talos researchers, who have also suggested a connection between Silence and the infamous hacking group Evil Corp (tracked by Cisco as TA505).
According to an advisory published on Thursday, the campaigns observed by the firm have resulted in the creation of two botnets: one with infections distributed worldwide (particularly in Mexico and Brazil) and a more recent one focused on the US.
“While we don’t have enough information to say that there is a specific focus on a sector, we noticed a number of compromised education sector organizations,” reads the advisory.
Cisco Talos threat researcher Tiago Pereira believes Truebot to be a precursor to other threats that are known to have been responsible for attacks leading to high losses.
“Readers should consider this as an initial stage of what can be a serious attack, and keep in mind that the attackers demonstrate agility in incorporating new delivery vectors,” Pereira said.
Further, Cisco Talos explained that Silence is not simply expanding its targets but also advancing from using malicious emails as its primary delivery method to new techniques.
“In October, a larger number of infections leveraged Raspberry Robin, a recent malware spread through USB drives, as a delivery vector. We believe with moderate confidence that during November, the attackers started using yet another way to distribute the malware,” the company wrote.
The technical write-up also suggests that post-compromise activity included data theft and the execution of Clop ransomware.
“While investigating one of these attacks, we found what seems to be a fully featured custom data exfiltration tool, which we are calling ‘Teleport,’ that was extensively used to steal information during the attack.”
Teleport was built in C++ and contained multiple features to improve the process of data exfiltration, including limiting the upload speed and file size, encrypting communications with a custom protocol and the ability to delete itself after use.
During its investigation, Cisco Talos also observed Silence exploiting a relatively new Netwrix vulnerability (tracked CVE-2022-31199).
“This vulnerability had been published only a few weeks before the attacks took place, and the number of systems exposed from the internet is expected to be quite small,” reads the advisory.
“This suggests that the attackers are not only on the lookout for new infection vectors but are also able to quickly test them and incorporate them into their workflow.”
The Silence threat group was not the first spotted using the malware tools above. An October advisory by Microsoft linked Raspberry Robin to the Clop and LockBit ransomware groups.