TA505 Group adds new ServHelper Backdoor and FlawedGrace RAT to its arsenal

Proofpoint analyzed two strains of malware tracked as ServHelper and FlawedGrace distributed through phishing campaigns by the TA505 crime gang.

Security researchers at Proofpoint researchers discovered two strains of malware tracked as ServHelper and FlawedGrace distributed through phishing campaigns by the TA505 crime gang.

The ServHelper is a backdoor, experts analyzed two variants of it, while FlawedGrace is a remote access trojan (RAT).

“In November 2018, TA505, a prolific actor that has been at the forefront of this trend, began distributing  a new backdoor we named “ServHelper”. ServHelper has two variants: one focused on remote desktop functions and a second that primarily functions as a downloader.” reads the analysis published by Proofpoint.

“Additionally we have observed the downloader variant download a malware we call “FlawedGrace.” FlawedGrace is a full-featured RAT that we first observed in November 2017.”

The TA505 group was first spotted by Proofpoint back 2017, it has been active at least since 2015 and targets organizations in financial and retail industries.

The group carried out a large number of campaigns using weaponized Office and PDF documents to deliver notorious malware, including
the Dridex banking trojan, tRAT RAT, FlawedAmmy RAT,
Philadelphia ransomware, GlobeImposter and Locky ransomware.

In November experts observed several campaigns carried out by the
TA505 group, in three of them the threat actors delivered the ServHelper malware.
The ServHelper backdoor is written in Delphi and according to the experts, the development team continues to update it by implementing with new features. Researchers pointed out that almost every new campaign used a new variant of the malware.

One of the largest campaigns distributed tens of thousands of emails and leveraged weaponized .DOC, .PUB, and .WIZ documents.

On December 13, Proofpoint observed a third campaign spreading the ServHelper backdoor.

“On December 13, 2018, we observed another large ServHelper “downloader” campaign targeting retail and financial services customers.” reads the analysis published by Proofpoint.

“The messages used a mixture of Microsoft Word attachments with embedded malicious macros, PDF attachments with URLs linking to a fake “Adobe PDF Plugin” webpage linking to the malware, and direct URLs in the email body linking to a ServHelper executable.”

The attacks leveraging the two malware were not targeted in nature attackers aimed at financial services organizations worldwide.

Once downloaded the ServHelper backdoor set up reverse SSH tunnels that allow attackers to access to the infected system via Remote Desktop Protocol (RDP) on port 3389.

“As noted, there are two distinct variants of ServHelper: a “tunnel” variant and a “downloader” variant. The “tunnel” variant has more features and focuses on setting up reverse SSH tunnels to allow the threat actor to access the infected host via Remote Desktop Protocol (RDP). ”
continues Proofpoint.

“Once ServHelper establishes remote desktop access, the malware contains functionality for the threat actor to “hijack” legitimate user accounts or their web browser profiles and use them as they see fit,”

Experts also discovered another ServHelper variant that does not include the tunneling and hijacking capabilities, in this case, the backdoor was used only as a downloader for the FlawedGrace RAT.

The threat actors use the .bit Top-Level Domain (TLD) for the Domain Name System (DNS) servers. The support for “.bit” C&C domains was added to protect the C2 infrastructure, this TLD is associated with the cryptocurrency Namecoin and requires special DNS servers that the malware uses (dedsolutions[.]bit, arepos[.]bit).null

The .bit TLD is not controlled by ICANN this means that it is impossible to ask the organization to shu down a fraudulent domain used as C2.

The TA505 group also use the FlawedGrace RAT, the malware is written in C++ and according to Proofpoint its coding style and techniques it implements suggest that RAT and ServHelper were developed by different groups.

“Threat actor TA505 is both consistent and prolific. When the group distributes new malware, it may be a blip (like Bart ransomware, which was only distributed for one day in 2016) or like Locky ransomware it may become the dominant strain of malware in the wild. In this case, the group has started distributing two variants on a new backdoor we named ServHelper and a RAT we call FlawedGrace.” concluded Proofpoint.

“This also extends the trend that emerged in 2018, in which threat actors increasingly focused on distribution of downloaders, information stealers, RATS, and other malware that can remain resident on victim devices for far longer than destructive, “smash and grab” malware like ransomware.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – TA505, cybercrime)

[adrotate banner=”5″] [adrotate banner=”13″]