TA505 hackers take up ServHelper backdoor and FlawedGrace RAT

by Ugnius Kiguolis - - 2019-01-14

The new phishing campaign by the infamous TA505 group has been targeting various sectors across the globe

ServHelper and FlawedGrace Security researchers spotted new phishing campaigns that distribute ServHelper backdoor and FlawedGrace remote access trojan. The malware strain comes from the infamous TA505 hacking group.

Security researchers from Proofpoint have published a report^[1] that detailed the new malware string that is connected to the TA505 group. Experts observed two new malware strains that started being distributed last year with the help of phishing emails: two variants of ServHelper backdoor and FlawedGrace remote access trojan.^[2]

According to research, several phishing campaigns were launched at the end of 2018 and targeted banks, restaurants, and retail businesses. The malicious emails contained MS Word or PDF files that, once launched with macro function, would download and install malware on the victims' computers.

TA505 has been one of the most active threat actors in the past few years, responsible for GlobeImposter^[3] and Locky ransomware. Nevertheless, researchers observed the group shifting from crypto viruses to backdoor trojans, RATs and info-stealers. Just as the mentioned Locky, the newly-discovered campaigns were using the Necrus botnet for the distribution.

First targeted attacks by TA505 were noticed in November 2018

Proofpoint reported that the new malware family ServHelper (the name was based on the file name associated with malware – ServHelper.dll) was first encountered on 9th of November when bad actors sent thousands of emails to financial businesses. The emails contained MS Word or Publisher attachments that used macro features to download the payload of ServHelper that used “tunnel” variant.

Researchers then noticed a much bigger campaign on 15th of November, which now also targeted the retail industry with attachments that used .doc, .pub or .wiz. file extensions. Similarly to the previous operation, malicious documents used macros to enable ServHelper, but this time it did not have the tunneling feature, and replaced it with a “downloader.”

The final campaign was executed on December 13th. This time, cybercriminals relied on PDF attachments with malicious links in addition to standard MS Word files. The significant difference is that this variant of ServHelper malware also downloaded an additional payload FlawedGrace, which was first observed in November 2017, and kept a low profile for the next two years.

ServHelper is a new malware and is being actively developed by cibercriminals

According to Proofpoint researchers, ServHelper is a new malware family that is being improved by adding new features and commands with each new phishing campaign. It is written in Delphi programming language, it uses the tunnel or downloader variant, as explained by security experts:^[1]

As noted, there are two distinct variants of ServHelper: a “tunnel” variant and a “downloader” variant. The “tunnel” variant has more features and focuses on setting up reverse SSH tunnels to allow the threat actor to access the infected host via Remote Desktop Protocol (RDP). Once ServHelper establishes remote desktop access, the malware contains functionality for the threat actor to “hijack” legitimate user accounts or their web browser profiles and use them as they see fit. The “downloader” variant is stripped of the tunneling and hijacking functionality and is used as a basic downloader.

The malware posses multiple different features, such as:

maintains the keep-alive^[4] type of functionality;
connects the C&C to the host's RDP^[5] port (3389) with the help of reverse SSH tunnel;
copies Firefox and Chrome web browser profiles;
runs an executable downloaded from a specific URL;
removes the malware payload;
many other commands.

Unlike ServHelper, the secondary payload FlawedGrace remote access trojan is written in C++ and is quite difficult to crack:

It is a very large program and makes extensive use of object-oriented and multithreaded programming techniques. This makes reverse engineering and debugging the malware both difficult and time consuming. The coding style and techniques suggest that FlawedGrace was not written by the same developer as ServHelper.

Upon the inspection of the campaigns and malware samples, researchers concluded that ransomware authors are shifting from ransomware to information stealers, RATs and similar malware that can remain on the system unnoticed for longer and bring more benefits for threat actors.

About the author

Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions

References

^ Dennis Schwartz. ServHelper and FlawedGrace - New malware introduced by TA505. Proofpoint. Threat Insight.
^ Stepher Cooper. What is a Remote Access Trojan or RAT? (with examples). CompariTech. Tech researched, compared and rated.
^ Linas Kiguolis. Globe Imposter ransomware virus. How to remove? (Uninstall guide). 2-spyware. Cybersecurity news and articles.
^ Robert Gibb. What is keep-alive?. Stackpath. American content delivery network and cloud service.
^ Doug Olenick. RDP attacks on the rise warns FBI, DHS. SC Media. Cybersecurity News, analysis and Product Reviews.