Since August 2022, there has been an increase in infections of Truebot (aka Silence.Downloader) malware. Truebot was first identified in 2017 and researchers have linked it to a threat actor called Silence Group that is responsible for several high-impact attacks on financial institutions in several countries around the world.

Truebot is a modular banking Trojan that first appeared in 2017. In addition to its primary functionality, which allows fraudsters to steal victims’ banking credentials, Truebot is capable of downloading arbitrary modules that allow it to act as a credential stealer, a remote access tool (RAT), and a downloader for additional malware. Its capabilities extend beyond standard banking Trojan functionality as well: it can be deployed as a cryptocurrency wallet stealer, steal cloud accounts credentials and/or Bitcoin wallets, and provide RAT-like capabilities.

The infection chain was designed in a modular way and the malware is able to infect multiple targets with different purposes, depending on the task it is given. The first step is to infect the target with a downloader, which downloads another file from an HTTP server. This in turn downloads the main module from an FTP server, and also passes data back to the user’s command-and-control server via HTTP.

Truebot uses several techniques to evade detection by traditional antivirus software. These include:

Using encrypted payloads that are decrypted at runtime only when needed.

Using random file names for files downloaded from the C&C and for those downloaded from the Web Delivery Module (WMD).

Attempting to bypass sandboxing systems by injecting a thread into a legitimate process and hiding inside it after being detected.

‍

Source: Breaking the silence - Recent Truebot activity - AlienVault - Open Threat Exchange