• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Google confirms Salesforce CRM breach, faces extortion threat

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 57

 | 

Security Affairs newsletter Round 536 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Embargo Ransomware nets $34.2M in crypto since April 2024

 | 

Germany limits police spyware use to serious crimes

 | 

Phishing attacks exploit WinRAR flaw CVE-2025-8088 to install RomCom

 | 

French firm Bouygues Telecom suffered a data breach impacting 6.4M customers

 | 

Columbia University data breach impacted 868,969 people

 | 

SonicWall dismisses zero-day fears after Ransomware probe

 | 

Air France and KLM disclosed data breaches following the hack of a third-party platform

 | 

CISA, Microsoft warn of critical Exchange hybrid flaw CVE-2025-53786

 | 

Microsoft unveils Project Ire: AI that autonomously detects malware

 | 

CERT-UA warns of UAC-0099 phishing attacks targeting Ukraine’s defense sector

 | 

Over 100 Dell models exposed to critical ControlVault3 firmware bugs

 | 

How CTEM Boosts Visibility and Shrinks Attack Surfaces in Hybrid and Cloud Environments

 | 

WhatsApp cracks down on 6.8M scam accounts in global takedown

 | 

Trend Micro fixes two actively exploited Apex One RCE flaws

 | 

U.S. CISA adds D-Link cameras and Network Video Recorder flaws to its Known Exploited Vulnerabilities catalog

 | 

Google fixed two Qualcomm bugs that were actively exploited in the wild

 | 

Zero Day Quest returns: Microsoft ups the stakes with $5M bug bounty

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Cyber Crime
  • Malware
  • TA505 Group adds new ServHelper Backdoor and FlawedGrace RAT to its arsenal

TA505 Group adds new ServHelper Backdoor and FlawedGrace RAT to its arsenal

Pierluigi Paganini January 13, 2019

Proofpoint analyzed two strains of malware tracked as ServHelper and FlawedGrace distributed through phishing campaigns by the TA505 crime gang.

Security researchers at Proofpoint researchers discovered two strains of malware tracked as ServHelper and FlawedGrace distributed through phishing campaigns by the TA505 crime gang.

The ServHelper is a backdoor, experts analyzed two variants of it, while FlawedGrace is a remote access trojan (RAT).

“In November 2018, TA505, a prolific actor that has been at the forefront of this trend, began distributing  a new backdoor we named “ServHelper”. ServHelper has two variants: one focused on remote desktop functions and a second that primarily functions as a downloader.” reads the analysis published by Proofpoint.

“Additionally we have observed the downloader variant download a malware we call “FlawedGrace.” FlawedGrace is a full-featured RAT that we first observed in November 2017.”

The TA505 group was first spotted by Proofpoint back 2017, it has been active at least since 2015 and targets organizations in financial and retail industries.

The group carried out a large number of campaigns using weaponized Office and PDF documents to deliver notorious malware, including
the Dridex banking trojan, tRAT RAT, FlawedAmmy RAT,
Philadelphia ransomware, GlobeImposter and Locky ransomware.

In November experts observed several campaigns carried out by the
TA505 group, in three of them the threat actors delivered the ServHelper malware.
The ServHelper backdoor is written in Delphi and according to the experts, the development team continues to update it by implementing with new features. Researchers pointed out that almost every new campaign used a new variant of the malware.

One of the largest campaigns distributed tens of thousands of emails and leveraged weaponized .DOC, .PUB, and .WIZ documents.

TA505 mail

On December 13, Proofpoint observed a third campaign spreading the ServHelper backdoor.

“On December 13, 2018, we observed another large ServHelper “downloader” campaign targeting retail and financial services customers.” reads the analysis published by Proofpoint.

“The messages used a mixture of Microsoft Word attachments with embedded malicious macros, PDF attachments with URLs linking to a fake “Adobe PDF Plugin” webpage linking to the malware, and direct URLs in the email body linking to a ServHelper executable.”

The attacks leveraging the two malware were not targeted in nature attackers aimed at financial services organizations worldwide.

Once downloaded the ServHelper backdoor set up reverse SSH tunnels that allow attackers to access to the infected system via Remote Desktop Protocol (RDP) on port 3389.

“As noted, there are two distinct variants of ServHelper: a “tunnel” variant and a “downloader” variant. The “tunnel” variant has more features and focuses on setting up reverse SSH tunnels to allow the threat actor to access the infected host via Remote Desktop Protocol (RDP). ”
continues Proofpoint.

“Once ServHelper establishes remote desktop access, the malware contains functionality for the threat actor to “hijack” legitimate user accounts or their web browser profiles and use them as they see fit,”

Experts also discovered another ServHelper variant that does not include the tunneling and hijacking capabilities, in this case, the backdoor was used only as a downloader for the FlawedGrace RAT.

The threat actors use the .bit Top-Level Domain (TLD) for the Domain Name System (DNS) servers. The support for “.bit” C&C domains was added to protect the C2 infrastructure, this TLD is associated with the cryptocurrency Namecoin and requires special DNS servers that the malware uses (dedsolutions[.]bit, arepos[.]bit).null

The .bit TLD is not controlled by ICANN this means that it is impossible to ask the organization to shu down a fraudulent domain used as C2.

The TA505 group also use the FlawedGrace RAT, the malware is written in C++ and according to Proofpoint its coding style and techniques it implements suggest that RAT and ServHelper were developed by different groups.

“Threat actor TA505 is both consistent and prolific. When the group distributes new malware, it may be a blip (like Bart ransomware, which was only distributed for one day in 2016) or like Locky ransomware it may become the dominant strain of malware in the wild. In this case, the group has started distributing two variants on a new backdoor we named ServHelper and a RAT we call FlawedGrace.” concluded Proofpoint.

“This also extends the trend that emerged in 2018, in which threat actors increasingly focused on distribution of downloaders, information stealers, RATS, and other malware that can remain resident on victim devices for far longer than destructive, “smash and grab” malware like ransomware.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – TA505, cybercrime)

[adrotate banner=”5″] [adrotate banner=”13″]


facebook linkedin twitter

Cybercrime Hacking Pierluigi Paganini Security Affairs TA505

you might also like

Pierluigi Paganini August 10, 2025
Google confirms Salesforce CRM breach, faces extortion threat
Read more
Pierluigi Paganini August 10, 2025
BadCam: Linux-based Lenovo webcam bugs enable BadUSB attacks
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Google confirms Salesforce CRM breach, faces extortion threat

    Data Breach / August 10, 2025

    SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 57

    Breaking News / August 10, 2025

    Security Affairs newsletter Round 536 by Pierluigi Paganini – INTERNATIONAL EDITION

    Breaking News / August 10, 2025

    Embargo Ransomware nets $34.2M in crypto since April 2024

    Cyber Crime / August 09, 2025

    Germany limits police spyware use to serious crimes

    Laws and regulations / August 09, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT