Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.



08:15 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt

ServHelper & FlawedGrace Malware Highlight Shift in Cyber Attacks

The ServHelper and FlawedGrace malware developed by threat group TA505 exemplify the move away from smash-and-grab ransomware toward more stealthy, longer campaigns, according to a recent analysis by Proofpoint.

A prolific threat group that first appeared on the radar in 2014 and then authored the Locky ransomware attacks in 2017 is now behind backdoor malware and remote access Trojan (RAT) campaigns that are part of a larger shift among bad actors away from ransomware and toward longer and more destructive stealth attacks.

Proofpoint researchers have linked the TA505 group to distribution of a backdoor called ServHelper -- which has two variants -- and a full-featured RAT dubbed FlawedGrace, both of which were detected in late 2018 and appear to have multiple targets, including financial institutions, retailers and restaurants. Unlike noisier "smash and grab" ransomware, both ServHelper and FlawedGrace are in line with the trend that emerged last year "in which threat actors increasingly focused on distribution of downloaders, information stealers, RATS, and other malware that can remain resident on victim devices for far longer," the researchers wrote in a blog post outlining the new TA505 campaigns. (See Ryuk Ransomware Tied to Printing Press & Cloud Service Provider Attacks.)

Ransomware isn’t going away, but attackers are increasingly looking at other options. Cybercriminals also appear to be looking for more stable payments than cryptocurrencies such as Bitcoin and Monero, according to Chris Dawson, threat intelligence lead for Proofpoint. (See Ransomware, New Privacy Laws Are Top Security Concerns for 2019.)

"We can only speculate on drivers for this shift, but the fall of ransomware and rise of bankers, loaders, etc., corresponds to rapid drops in cryptocurrency values," Dawson told Security Now in an email. "Instead of looking to be paid in what used to be high-value cryptocurrencies, threat actors now appear to be turning back to stealing fiat currencies directly with credential theft, fraudulent transactions, and more."

Proofpoint analysts first detected ServHelper on November 9, 2018, in a small email campaign of thousands of messages that was targeting banks. The messages came with Microsoft Word or Publisher attachments that include macros that downloaded and executed the malware when enabled. This was the first variant of ServHelper found. Written in Delphi, the malware is a "tunnel" variant that used command-and-control URIs and is still being developed, with new commands and functionalities being added with each campaign.

The tunnel variant has more features than the second variant found -- a downloader -- and sets up reverse SSH tunnels that enable the attacker to get into the infected host through the Remote Desktop Protocol. Once in, the bad actor can take control of legitimate user accounts or web browser profiles, the researchers said.

The downloader variant, detected November 15, 2018, does include the tunneling and hijacking capabilities. It can download the FlawedGrace RAT, which the researchers said they first saw in November 2017 and targets a wider range of businesses, including banks, retail businesses and restaurants.

"ServHelper is interesting because of the two variants we have observed," Dawson said. "One is a very full-featured backdoor focused on establishing remote control of the infected device while the other is a fairly focused downloader, even though they share much of their underlying core code. FlawedGrace, on the other hand, is a very large executable and, again, is quite robust. However, TA505 has distributed the FlawedAmmyy RAT at scale over the last year, tRAT, various loaders, and more, so these appear to be two more tools in their already robust toolkit."

In addition, the wider range of targets also is relatively new for TA505. (See Healthcare Industry Still in Ransomware Crosshairs.)

"When TA505 was sending massive spam campaigns in 2016 and 2017, often comprised of millions or even hundreds of millions of messages, we did not observe any discernible targeting," he added. "So for TA505, even this relatively broad targeting represents a significant shift. Again, we can only speculate on the motivation or perceived opportunities that have driven this degree of targeting, but we continue to observe threat actors following the money. Other actors are far more focused on a single vertical while still others continue to take a 'spray and pray' approach, so there is certainly a spectrum of activity in the landscape."

FlawedGrace is written in C++ and uses object-oriented and multithreaded programmable techniques, which makes reverse engineering and debugging difficult and time-consuming, researchers note. It also suggests that its author was not the same developer who created ServHelper, though they hadn't seen FlawedGrace since the November 2017 email campaign until they detected ServHelper.

The researchers noted that over the past few years, TA505 has created some malware that quickly comes and goes -- the Bart ransomware was only distributed for a day in 2016 -- and others like Locky, which became one of the higher profile ransomware attacks in 2017, when ransomware was the attack of choice for many threat actors thanks to the success of such malware as WannaCry, SamSam and Petya. ServHelper and FlawedGrace appear to be more of the latter.

"We will continue to observe the distribution of these three malware variants but, at this time, they do not appear to be one-offs, but rather long-term investments by TA505," researchers wrote in their report.

Proofpoint's Dawson said there are a number of steps enterprises can take to protect against ServHelper and FlawedGrace, including having layered defenses at the network edge, email gateway and endpoing and a strong user education program.

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-11
A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the System Management Interface Web component of Avaya Aura Communication Manager and Avaya Aura Messaging. This vulnerability could allow an unauthenticated remote attacker to perform Web administration actions with the privileged ...
PUBLISHED: 2020-08-11
An issue was discovered in certain configurations of GNOME gnome-shell through 3.36.4. When logging out of an account, the password box from the login dialog reappears with the password still visible. If the user had decided to have the password shown in cleartext at login time, it is then visible f...
PUBLISHED: 2020-08-11
django-celery-results through 1.2.1 stores task results in the database. Among the data it stores are the variables passed into the tasks. The variables may contain sensitive cleartext information that does not belong unencrypted in the database.
PUBLISHED: 2020-08-11
There is a possible out of bounds read due to an incorrect bounds check.Product: AndroidVersions: Android SoCAndroid ID: A-152225183
PUBLISHED: 2020-08-11
The Temi application 1.3.3 through 1.3.7931 for Android has hard-coded credentials.