#1243024: This Trojan attack adds a backdoor to your Windows PC to steal data - TA505 Hacking Group Active Again

Description: Hacking group TA505 is distributing a brand new form of malware – and using it to target banks and retailers.

A well-resourced and prolific hacking group is distributing a new strain of malware that gives the hackers remote desktop access as part of an information-stealing campaign targeting banks, retailers and businesses.

ServHelper malware has been active since November last year and installs a backdoor onto Windows PCs, providing attackers with remote access to compromised machines. But that isn't where the attack ends: ServHelper also acts as a downloader for FlawedGrace, a family of trojan malware which first appeared in November 2017 and is described as "a full-featured" Remote Access Trojan.

The combined ServHelper and FlawedGrace campaign has been detailed by researchers at Proofpoint. They attribute the attacks to TA505, a cybercrime group that has launched some of the largest cyber attacks of of recent years, such as the Dridex banking trojan and Locky ransomware. The group has been active since at least 2014.

ServHelper campaigns begin by spamming out phishing emails. The messages are basic, simply asking potential victims to open documents, often claimed to relate to bank transfers. However, because of the sheer number of messages sent at a time -- tens of thousands of emails are distributed at once -- the attackers seemingly believe they can catch out a significant proportion of users, despite the basic nature of the phishing attacks.

"TA505 has typically not employed heavy social engineering, relying instead on volume to find unwitting victims. That said, human curiosity and our conditioning to rapidly open emails and attachments are often enough even without sophisticated social engineering," Chris Dawson, threat intelligence lead at Proofpoint told ZDNet.
servhelper-phishing-email.png

A phishing email used to distribute the malware.
Image: Proofpoint

Those who open the attachments -- and enable macros -- enable ServHelper to be installed on the machine. Researchers note that this new form of malware is actively being developed, with new commands and functionality being added in almost every new campaign since it first appeared.

But ServHelper's primary function has remained unchanged: it serves as a backdoor to allow attackers remote desktop access to the compromised device and allows attackers to hijack user accounts and web profiles -- providing them with vast swathes of information about the infected victim.

That isn't the end of the attack, however, because ServHelper is capable of downloading and executing another malware onto the compromised PC -- FlawedGrace.

FlawedGrace first appeared for a brief period in November 2017 before disappearing and only re-emerging as part of the ServHelper campaign. Researchers suggest that "significant development" has taken place on FlawedGrace, which has been built using object-oriented and multithreaded programming techniques -- a technique designed to make reverse-engineering and analysing the malware harder.

The remote access trojan capabilities of FlawedGrace mean it allows attackers to gain almost full control over an infected device. Given how the campaign targets banks and retailers, it's likely that acquiring money is the ultimate goal of the attacks, be that through stealing banking credentials, or using corporate credentials to gain access to sensitive information which can be traded on for profit.

It's believed that the ServHelper and FlawedGrace campaign remains active alongside another TA505 trojan malware campaign that emerged in late 2018. The group used to focus on ransomware, but has increasingly moved towards information stealers -- and it's likely they've opted to distribute different forms of malware to avoid detection and ensure maximum returns.

"The group has added a variety of malware to their toolkit over the years, with additions in 2018 focusing on RATs and loaders," said Dawson.

"While we can only speculate on the reasoning behind their choices in malware, new malware gives them new opportunities to evade detection and shift, for example, from ransomware to bankers or bankers to RATs, with the accompanying opportunities to follow the money."

Proofpoint has detailed information about Indicators of Compromise for ServHelper and FlawedGrace in their analysis of the malware.
First Aid: IOCs: 52c72a9de2f6e892f07827add85ad913b0541cd5c8449aadc2722f8eb75e548c SHA256 November 9 “Tunnel” campaign attachment hxxp://officemysuppbox[.]com/staterepository URL November 9 “Tunnel” campaign payload 1b0859ddbdebcb9d2bb46de00d73aa21bc617614b8123054426556783b211bc8 SHA256 November 9 “Tunnel” campaign ServHelper hxxps://checksolutions[.]pw/ghuae/huadh.php URL November 9 “Tunnel” campaign ServHelper C&C hxxps://rgoianrdfa[.]pw/ghuae/huadh.php URL November 9 “Tunnel” campaign ServHelper C&C hxxps://arhidsfderm[.]pw/ghuae/huadh.php URL November 9 “Tunnel” campaign ServHelper C&C eb66ebb95a3dcecae64c61f611a9332fbf460d1b8039d3ab7e4f220104a4bec4 SHA256 November 15 “Downloader” campaign attachment hxxp://offficebox[.]com/host32 URL November 15 “Downloader” campaign payload 3cd7e0a8321259e8446b2a9da775aae674715c74ff4923cfc8ec5102f380d41a SHA256 November 15 “Downloader” campaign ServHelper f4b9219f329803dd45afd5646351de456e608dd946830c961ec66c6c25e52cac SHA256 December 13 “FlawedGrace” campaign attachment hxxp://office365onlinehome[.]com/host32 URL December 13 “FlawedGrace” campaign payload d56429d6d0222022fe8f4cb35a28cd4fb83f87b666a186eb54d9785f01bb4b58 SHA256 December 13 “FlawedGrace” campaign ServHelper hxxps://afgdhjkrm[.]pw/aggdst/Hasrt.php URL December 13 “FlawedGrace” campaign ServHelper C&C efcee275d23b6e71589452b1cb3095ff92b10ab68cd07957b2ad6be587647b74 SHA256 December 13 “FlawedGrace” campaign FlawedGrace 46.161.27[.]241:443 IP:Port December 13 “FlawedGrace” campaign FlawedGrace C&C 9fccd107bd0aee3a2f39ad76a49758309c95545d8154b808eec24d2b51dc4579 SHA256 “sethijack” command ServHelper hxxp://dedsolutions[.]bit/sav/s.php URL “sethijack” command ServHelper C&C hxxp://dedoshop[.]pw/sav/s.php URL “sethijack” command ServHelper C&C hxxp://asgaage[.]pw/sav/s.php URL “sethijack” command ServHelper C&C hxxp://sghee[.]pw/sav/s.php URL “sethijack” command ServHelper C&C a9492312f1258567c3633ed077990fe053776cd576aa60ac7589c6bd7829d549 SHA256 “loaddll” command ServHelper hxxps://vesecase[.]com/support/form.php URL “loaddll” command ServHelper C&C ET and ETPRO Suricata/Snort Signatures 2833522 ETPRO TROJAN Observed Malicious SSL Cert (HuadhServHelper RAT CnC) 2833552 ETPRO TROJAN HuadhServHelper RAT CnC Domain Observed in SNI 2833881 ETPRO TROJAN Observed Malicious SSL Cert (ServHelper CnC) 2833985 ETPRO TROJAN Observed Malicious SSL Cert (ServHelper CnC) 2834074 ETPRO TROJAN Observed Malicious SSL Cert (ServHelper CnC) 2834233 ETPRO TROJAN ServHelper CnC Inital Checkin 2828489 ETPRO TROJAN FlawedGrace CnC Activity
More info: https://www.zdnet.com/article/this-trojan-attack-adds-a-backdoor-to-your-windows-pc-to-steal-data/?ftag=TRE-03-10aaa6b&bhid=22033606723048855968747532986084

Date added Jan. 10, 2019, 7:04 p.m.
Source ZDNet
Subjects
  • All New Malware Alerts - New Reports / IOCs in
  • .Banking / Finance Alerts
  • Banking Malware - New Reports in
  • TA505 Threat Actor / TRat