ServHelper & FlawedGrace Malware Highlight Shift in Cyber Attacks

A prolific threat group that first appeared on the radar in 2014 and then authored the Locky ransomware attacks in 2017 is now behind backdoor malware and remote access Trojan (RAT) campaigns that are part of a larger shift among bad actors away from ransomware and toward longer and more destructive stealth attacks.

Proofpoint researchers have linked the TA505 group to distribution of a backdoor called ServHelper -- which has two variants -- and a full-featured RAT dubbed FlawedGrace, both of which were detected in late 2018 and appear to have multiple targets, including financial institutions, retailers and restaurants. Unlike noisier "smash and grab" ransomware, both ServHelper and FlawedGrace are in line with the trend that emerged last year "in which threat actors increasingly focused on distribution of downloaders, information stealers, RATS, and other malware that can remain resident on victim devices for far longer," the researchers wrote in a blog post outlining the new TA505 campaigns. (See Ryuk Ransomware Tied to Printing Press & Cloud Service Provider Attacks.)

(Source: Pixabay)

Ransomware isn’t going away, but attackers are increasingly looking at other options. Cybercriminals also appear to be looking for more stable payments than cryptocurrencies such as Bitcoin and Monero, according to Chris Dawson, threat intelligence lead for Proofpoint. (See Ransomware, New Privacy Laws Are Top Security Concerns for 2019.)

"We can only speculate on drivers for this shift, but the fall of ransomware and rise of bankers, loaders, etc., corresponds to rapid drops in cryptocurrency values," Dawson told Security Now in an email. "Instead of looking to be paid in what used to be high-value cryptocurrencies, threat actors now appear to be turning back to stealing fiat currencies directly with credential theft, fraudulent transactions, and more."

Proofpoint analysts first detected ServHelper on November 9, 2018, in a small email campaign of thousands of messages that was targeting banks. The messages came with Microsoft Word or Publisher attachments that include macros that downloaded and executed the malware when enabled. This was the first variant of ServHelper found. Written in Delphi, the malware is a "tunnel" variant that used command-and-control URIs and is still being developed, with new commands and functionalities being added with each campaign.

The tunnel variant has more features than the second variant found -- a downloader -- and sets up reverse SSH tunnels that enable the attacker to get into the infected host through the Remote Desktop Protocol. Once in, the bad actor can take control of legitimate user accounts or web browser profiles, the researchers said.

The downloader variant, detected November 15, 2018, does include the tunneling and hijacking capabilities. It can download the FlawedGrace RAT, which the researchers said they first saw in November 2017 and targets a wider range of businesses, including banks, retail businesses and restaurants.

A view of the TA505 downloader
\r\n(Source: Proofpoint)\r\n

"ServHelper is interesting because of the two variants we have observed," Dawson said. "One is a very full-featured backdoor focused on establishing remote control of the infected device while the other is a fairly focused downloader, even though they share much of their underlying core code. FlawedGrace, on the other hand, is a very large executable and, again, is quite robust. However, TA505 has distributed the FlawedAmmyy RAT at scale over the last year, tRAT, various loaders, and more, so these appear to be two more tools in their already robust toolkit."

In addition, the wider range of targets also is relatively new for TA505. (See Healthcare Industry Still in Ransomware Crosshairs.)

"When TA505 was sending massive spam campaigns in 2016 and 2017, often comprised of millions or even hundreds of millions of messages, we did not observe any discernible targeting," he added. "So for TA505, even this relatively broad targeting represents a significant shift. Again, we can only speculate on the motivation or perceived opportunities that have driven this degree of targeting, but we continue to observe threat actors following the money. Other actors are far more focused on a single vertical while still others continue to take a 'spray and pray' approach, so there is certainly a spectrum of activity in the landscape."

FlawedGrace is written in C++ and uses object-oriented and multithreaded programmable techniques, which makes reverse engineering and debugging difficult and time-consuming, researchers note. It also suggests that its author was not the same developer who created ServHelper, though they hadn't seen FlawedGrace since the November 2017 email campaign until they detected ServHelper.

The researchers noted that over the past few years, TA505 has created some malware that quickly comes and goes -- the Bart ransomware was only distributed for a day in 2016 -- and others like Locky, which became one of the higher profile ransomware attacks in 2017, when ransomware was the attack of choice for many threat actors thanks to the success of such malware as WannaCry, SamSam and Petya. ServHelper and FlawedGrace appear to be more of the latter.

"We will continue to observe the distribution of these three malware variants but, at this time, they do not appear to be one-offs, but rather long-term investments by TA505," researchers wrote in their report.

Proofpoint's Dawson said there are a number of steps enterprises can take to protect against ServHelper and FlawedGrace, including having layered defenses at the network edge, email gateway and endpoing and a strong user education program.

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.