TA505 threat actor group found distributing ServHelper and FlawedGrace malware to steal data

• The malware helps the group to establish remote desktop access and harvest personal data of victims.
• The TA505 has been in the cybercrime business for at least four years.

The prolific TA505 threat actor group has been found using two new malware families to launch its recent attack campaign against banks, retailers, and businesses. Tracked as two ‘ServHelper’ backdoor with two variants and ‘FlawedGrace’ remote access trojan (RAT, the malware helps the group to establish remote desktop access and harvest users’ personal data.

The TA505 has been in the cybercrime business for at least four years and is mainly known for its involvement in delivering Dridex banking trojan and Locky ransomware via Necurs botnet.

About ServHelper backdoor

ServHelper backdoor has two variants. One is used to gain access to remote desktop functions and the second one acts as a downloader.

The malware has been observed to be used by the TA505 actors in three campaigns previously. The first one was detected on November 9, 2018, and was a small campaign. Here the hackers delivered the backdoor variants in the form of malicious macros embedded within Microsoft Word and Publisher. These documents were distributed via phishing emails.

Proofpoint researchers discovered that a large version of the campaign using the similar attack technique was launched on November 15, 2018. The campaign was used to target both financial and retail industries and the malicious macros were sent using documents with specific extensions such as .doc, .pub and .wiz.

On December 13, 2018, the third attack campaign was observed using the ServHelper variants. This time also the retail and financial organizations were the main targets of TA505 actors.

“The messages used a mixture of Microsoft Word attachments with embedded malicious macros, PDF attachments with URLs linking to a fake “Adobe PDF Plugin” webpage linking to the malware, and direct URLs in the email body linking to a ServHelper executable,” said researchers from Proofpoint in an analysis report.

ServHelper is written in Delphi and its developers continue to update the malware with new features and commands. The downloader variant of ServHelper is used by hackers to download additional malware such as FlawedGrace RAT.

About FlawedGrace RAT

FlawedGrace first appeared for a brief period in November 2017. After a gap of almost two years, the RAT has re-emerged as a part of ServHelper campaign. Proofpoint researchers suggest that there has been a significant development in the malware.

“FlawedGrace uses a complicated binary protocol for its command and control. It can use a configurable port for communications, but all samples we have observed to date have used port 443,” the Proofpoint researchers explained.

The malware can enable the attackers to gain full control over infected systems.

Researchers claim that the discovery of new strains of malware - ServHelper and FlawedGrace - indicates that it is a long term investment by threat actor group TA505. The attackers are believed to leverage the malware for future attacks.