Skip to content
Detecteam
  • CompanyExpand
    • Founders Story
    • The Team
  • ProductExpand
    • About Us
  • SolutionsExpand
    • Use Cases
  • ResourcesExpand
    • Detecteam Blogs
    • Contact Us
Twitter Linkedin
Detecteam
Blog · Scenario

TrueBot

Avatar photoByDetecteam 2023-08-172023-08-17

TLP

TLP CLEAR

Author

Jordi M. Lobo

Summary

In May 2023, a campaign using the “404 TDS” Traffic Distribution System delivered Truebot via email. Recipients clicking the email link were redirected through multiple URLs, ending in a fake Adobe Acrobat document download that was a Truebot executable. After execution, Truebot copied and renamed, then introduced FlawedGrace malware, using registry and Print Spooler service manipulations for privilege escalation and persistence. FlawedGrace stored/extracted encoded payloads, created tasks, and injected its payload into system processes. Attempts to establish RDP connections and domain exploration followed. Later, Cobalt Strike was introduced, enabling lateral movement and reconnaissance. Data exfiltration and a destructive MBR Killer action ensued, cutting network access.

DATA

cs_GenericFileWritten.json_Download

TIMELINE

CATEGORY

Malware

references

  • https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/

MITRE ATT&CK

Post Tags: #T1003.001 - LSASS Memory#T1003.002 - Security Account Manager#T1012 - Query Registry#T1018 - Remote System Discovery#T1021.002 - SMB/Windows Admin Shares#T1027.010 - Command Obfuscation#T1027.011 - Fileless Storage#T1033 - System Owner/User Discovery#T1036.005 - Masquerading: Match Legitimate Name or Location#T1048 - Exfiltration Over Alternative Protocol#T1053.005 - Scheduled Task/Job: Scheduled Task#T1055 - Process Injection#T1057 - Process Discovery#T1059.001 - Command and Scripting Interpreter: PowerShell#T1069.001 - Local Groups#T1069.002 - Domain Groups#T1071.001 - Web Protocols#T1074.001 - Local Data Staging#T1087.002 - Domain Account#T1094 - Custom Command and Control Protocol#T1140 - Deobfuscate/Decode Files or Information#T1204.002 - User Execution: Malicious File#T1492 - Domain Trust Discovery#T1518.001 - Security Software Discovery#T1543.003 - Windows Service#T1550.002 - Use Alternate Authentication Material: Pass the Hash#T1561.002 - Disk Structure Wipe#T1562.001 - Disable or Modify Tools#T1566 - Phishing
Avatar photo
Detecteam
X

Detecteam is transforming cybersecurity detection from static rule-writing to autonomous, continuous validation. Our REFLEX platform automates the detection lifecycle—building, testing, validating and deploying detections in minutes, not months. We help enterprises maximize ROI on existing tools, close high-risk detection gaps faster, and scale security outcomes without scaling headcount. This is the future of detection-as-code, and we’re leading it.

CONTACT US

Detecteam Inc.
300 Lenora Street PMB 659
Seattle, WA 98121 USA
+1 (650) 542-0831
sales@detecteam.com

  • Privacy Policy

SOCIAL MEDIA

Twitter Linkedin
OUR NEWSLETTER

Check your inbox or spam to confirm your subscription.

© 2025 Detecteam Inc. All Rights Reserved.

  • Company
    • Founders Story
    • The Team
  • Product
    • About Us
  • Solutions
    • Use Cases
  • Resources
    • Detecteam Blogs
    • Contact Us
Search