Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.



08:15 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt

ServHelper & FlawedGrace Malware Highlight Shift in Cyber Attacks

The ServHelper and FlawedGrace malware developed by threat group TA505 exemplify the move away from smash-and-grab ransomware toward more stealthy, longer campaigns, according to a recent analysis by Proofpoint.

A prolific threat group that first appeared on the radar in 2014 and then authored the Locky ransomware attacks in 2017 is now behind backdoor malware and remote access Trojan (RAT) campaigns that are part of a larger shift among bad actors away from ransomware and toward longer and more destructive stealth attacks.

Proofpoint researchers have linked the TA505 group to distribution of a backdoor called ServHelper -- which has two variants -- and a full-featured RAT dubbed FlawedGrace, both of which were detected in late 2018 and appear to have multiple targets, including financial institutions, retailers and restaurants. Unlike noisier "smash and grab" ransomware, both ServHelper and FlawedGrace are in line with the trend that emerged last year "in which threat actors increasingly focused on distribution of downloaders, information stealers, RATS, and other malware that can remain resident on victim devices for far longer," the researchers wrote in a blog post outlining the new TA505 campaigns. (See Ryuk Ransomware Tied to Printing Press & Cloud Service Provider Attacks.)

(Source: Pixabay)
(Source: Pixabay)

Ransomware isn’t going away, but attackers are increasingly looking at other options. Cybercriminals also appear to be looking for more stable payments than cryptocurrencies such as Bitcoin and Monero, according to Chris Dawson, threat intelligence lead for Proofpoint. (See Ransomware, New Privacy Laws Are Top Security Concerns for 2019.)

"We can only speculate on drivers for this shift, but the fall of ransomware and rise of bankers, loaders, etc., corresponds to rapid drops in cryptocurrency values," Dawson told Security Now in an email. "Instead of looking to be paid in what used to be high-value cryptocurrencies, threat actors now appear to be turning back to stealing fiat currencies directly with credential theft, fraudulent transactions, and more."

Proofpoint analysts first detected ServHelper on November 9, 2018, in a small email campaign of thousands of messages that was targeting banks. The messages came with Microsoft Word or Publisher attachments that include macros that downloaded and executed the malware when enabled. This was the first variant of ServHelper found. Written in Delphi, the malware is a "tunnel" variant that used command-and-control URIs and is still being developed, with new commands and functionalities being added with each campaign.

The tunnel variant has more features than the second variant found -- a downloader -- and sets up reverse SSH tunnels that enable the attacker to get into the infected host through the Remote Desktop Protocol. Once in, the bad actor can take control of legitimate user accounts or web browser profiles, the researchers said.

The downloader variant, detected November 15, 2018, does include the tunneling and hijacking capabilities. It can download the FlawedGrace RAT, which the researchers said they first saw in November 2017 and targets a wider range of businesses, including banks, retail businesses and restaurants.

A view of the TA505 downloader\r\n(Source: Proofpoint)\r\n
A view of the TA505 downloader
\r\n(Source: Proofpoint)\r\n

"ServHelper is interesting because of the two variants we have observed," Dawson said. "One is a very full-featured backdoor focused on establishing remote control of the infected device while the other is a fairly focused downloader, even though they share much of their underlying core code. FlawedGrace, on the other hand, is a very large executable and, again, is quite robust. However, TA505 has distributed the FlawedAmmyy RAT at scale over the last year, tRAT, various loaders, and more, so these appear to be two more tools in their already robust toolkit."

In addition, the wider range of targets also is relatively new for TA505. (See Healthcare Industry Still in Ransomware Crosshairs.)

"When TA505 was sending massive spam campaigns in 2016 and 2017, often comprised of millions or even hundreds of millions of messages, we did not observe any discernible targeting," he added. "So for TA505, even this relatively broad targeting represents a significant shift. Again, we can only speculate on the motivation or perceived opportunities that have driven this degree of targeting, but we continue to observe threat actors following the money. Other actors are far more focused on a single vertical while still others continue to take a 'spray and pray' approach, so there is certainly a spectrum of activity in the landscape."

FlawedGrace is written in C++ and uses object-oriented and multithreaded programmable techniques, which makes reverse engineering and debugging difficult and time-consuming, researchers note. It also suggests that its author was not the same developer who created ServHelper, though they hadn't seen FlawedGrace since the November 2017 email campaign until they detected ServHelper.

The researchers noted that over the past few years, TA505 has created some malware that quickly comes and goes -- the Bart ransomware was only distributed for a day in 2016 -- and others like Locky, which became one of the higher profile ransomware attacks in 2017, when ransomware was the attack of choice for many threat actors thanks to the success of such malware as WannaCry, SamSam and Petya. ServHelper and FlawedGrace appear to be more of the latter.

"We will continue to observe the distribution of these three malware variants but, at this time, they do not appear to be one-offs, but rather long-term investments by TA505," researchers wrote in their report.

Proofpoint's Dawson said there are a number of steps enterprises can take to protect against ServHelper and FlawedGrace, including having layered defenses at the network edge, email gateway and endpoing and a strong user education program.

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-02-27
SerComm AG Combo VD625 AGSOT_2.1.0 devices allow CRLF injection (for HTTP header injection) in the download function via the Content-Disposition header.
PUBLISHED: 2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.
PUBLISHED: 2021-02-27
In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)
PUBLISHED: 2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.
PUBLISHED: 2021-02-27
i-doit before 1.16.0 is affected by Stored Cross-Site Scripting (XSS) issues that could allow remote authenticated attackers to inject arbitrary web script or HTML via C__MONITORING__CONFIG__TITLE, SM2__C__MONITORING__CONFIG__TITLE, C__MONITORING__CONFIG__PATH, SM2__C__MONITORING__CONFIG__PATH, C__M...