Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.



08:15 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt

ServHelper & FlawedGrace Malware Highlight Shift in Cyber Attacks

The ServHelper and FlawedGrace malware developed by threat group TA505 exemplify the move away from smash-and-grab ransomware toward more stealthy, longer campaigns, according to a recent analysis by Proofpoint.

A prolific threat group that first appeared on the radar in 2014 and then authored the Locky ransomware attacks in 2017 is now behind backdoor malware and remote access Trojan (RAT) campaigns that are part of a larger shift among bad actors away from ransomware and toward longer and more destructive stealth attacks.

Proofpoint researchers have linked the TA505 group to distribution of a backdoor called ServHelper -- which has two variants -- and a full-featured RAT dubbed FlawedGrace, both of which were detected in late 2018 and appear to have multiple targets, including financial institutions, retailers and restaurants. Unlike noisier "smash and grab" ransomware, both ServHelper and FlawedGrace are in line with the trend that emerged last year "in which threat actors increasingly focused on distribution of downloaders, information stealers, RATS, and other malware that can remain resident on victim devices for far longer," the researchers wrote in a blog post outlining the new TA505 campaigns. (See Ryuk Ransomware Tied to Printing Press & Cloud Service Provider Attacks.)

Ransomware isn’t going away, but attackers are increasingly looking at other options. Cybercriminals also appear to be looking for more stable payments than cryptocurrencies such as Bitcoin and Monero, according to Chris Dawson, threat intelligence lead for Proofpoint. (See Ransomware, New Privacy Laws Are Top Security Concerns for 2019.)

"We can only speculate on drivers for this shift, but the fall of ransomware and rise of bankers, loaders, etc., corresponds to rapid drops in cryptocurrency values," Dawson told Security Now in an email. "Instead of looking to be paid in what used to be high-value cryptocurrencies, threat actors now appear to be turning back to stealing fiat currencies directly with credential theft, fraudulent transactions, and more."

Proofpoint analysts first detected ServHelper on November 9, 2018, in a small email campaign of thousands of messages that was targeting banks. The messages came with Microsoft Word or Publisher attachments that include macros that downloaded and executed the malware when enabled. This was the first variant of ServHelper found. Written in Delphi, the malware is a "tunnel" variant that used command-and-control URIs and is still being developed, with new commands and functionalities being added with each campaign.

The tunnel variant has more features than the second variant found -- a downloader -- and sets up reverse SSH tunnels that enable the attacker to get into the infected host through the Remote Desktop Protocol. Once in, the bad actor can take control of legitimate user accounts or web browser profiles, the researchers said.

The downloader variant, detected November 15, 2018, does include the tunneling and hijacking capabilities. It can download the FlawedGrace RAT, which the researchers said they first saw in November 2017 and targets a wider range of businesses, including banks, retail businesses and restaurants.

"ServHelper is interesting because of the two variants we have observed," Dawson said. "One is a very full-featured backdoor focused on establishing remote control of the infected device while the other is a fairly focused downloader, even though they share much of their underlying core code. FlawedGrace, on the other hand, is a very large executable and, again, is quite robust. However, TA505 has distributed the FlawedAmmyy RAT at scale over the last year, tRAT, various loaders, and more, so these appear to be two more tools in their already robust toolkit."

In addition, the wider range of targets also is relatively new for TA505. (See Healthcare Industry Still in Ransomware Crosshairs.)

"When TA505 was sending massive spam campaigns in 2016 and 2017, often comprised of millions or even hundreds of millions of messages, we did not observe any discernible targeting," he added. "So for TA505, even this relatively broad targeting represents a significant shift. Again, we can only speculate on the motivation or perceived opportunities that have driven this degree of targeting, but we continue to observe threat actors following the money. Other actors are far more focused on a single vertical while still others continue to take a 'spray and pray' approach, so there is certainly a spectrum of activity in the landscape."

FlawedGrace is written in C++ and uses object-oriented and multithreaded programmable techniques, which makes reverse engineering and debugging difficult and time-consuming, researchers note. It also suggests that its author was not the same developer who created ServHelper, though they hadn't seen FlawedGrace since the November 2017 email campaign until they detected ServHelper.

The researchers noted that over the past few years, TA505 has created some malware that quickly comes and goes -- the Bart ransomware was only distributed for a day in 2016 -- and others like Locky, which became one of the higher profile ransomware attacks in 2017, when ransomware was the attack of choice for many threat actors thanks to the success of such malware as WannaCry, SamSam and Petya. ServHelper and FlawedGrace appear to be more of the latter.

"We will continue to observe the distribution of these three malware variants but, at this time, they do not appear to be one-offs, but rather long-term investments by TA505," researchers wrote in their report.

Proofpoint's Dawson said there are a number of steps enterprises can take to protect against ServHelper and FlawedGrace, including having layered defenses at the network edge, email gateway and endpoing and a strong user education program.

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Introducing 'Secure Access Service Edge'
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  7/3/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-09
Android App 'Mercari' (Japan version) prior to version 3.52.0 allows arbitrary method execution of a Java object by a remoto attacker via a Man-In-The-Middle attack by using Java Reflection API of JavaScript code on WebView.
PUBLISHED: 2020-07-08
NVIDIA JetPack SDK, version 4.2 and 4.3, contains a vulnerability in its installation scripts in which permissions are incorrectly set on certain directories, which can lead to escalation of privileges.
PUBLISHED: 2020-07-08
An issue was discovered in phpList through 3.5.4. An error-based SQL Injection vulnerability exists via the Import Administrators section.
PUBLISHED: 2020-07-08
An issue was discovered in phpList through 3.5.4. An XSS vulnerability occurs within the Import Administrators section via upload of an edited text document. This also affects the Subscriber Lists section.
PUBLISHED: 2020-07-08
An OS Command Injection vulnerability in the PAN-OS GlobalProtect portal allows an unauthenticated network based attacker to execute arbitrary OS commands with root privileges. An attacker requires some knowledge of the firewall to exploit this issue. This issue can not be exploited if GlobalProtect...