#1243024: This Trojan attack adds a backdoor to your Windows PC to steal data - TA505 Hacking Group Active Again

Description: Hacking group TA505 is distributing a brand new form of malware – and using it to target banks and retailers.

A well-resourced and prolific hacking group is distributing a new strain of malware that gives the hackers remote desktop access as part of an information-stealing campaign targeting banks, retailers and businesses.

ServHelper malware has been active since November last year and installs a backdoor onto Windows PCs, providing attackers with remote access to compromised machines. But that isn't where the attack ends: ServHelper also acts as a downloader for FlawedGrace, a family of trojan malware which first appeared in November 2017 and is described as "a full-featured" Remote Access Trojan.

The combined ServHelper and FlawedGrace campaign has been detailed by researchers at Proofpoint. They attribute the attacks to TA505, a cybercrime group that has launched some of the largest cyber attacks of of recent years, such as the Dridex banking trojan and Locky ransomware. The group has been active since at least 2014.

ServHelper campaigns begin by spamming out phishing emails. The messages are basic, simply asking potential victims to open documents, often claimed to relate to bank transfers. However, because of the sheer number of messages sent at a time -- tens of thousands of emails are distributed at once -- the attackers seemingly believe they can catch out a significant proportion of users, despite the basic nature of the phishing attacks.

"TA505 has typically not employed heavy social engineering, relying instead on volume to find unwitting victims. That said, human curiosity and our conditioning to rapidly open emails and attachments are often enough even without sophisticated social engineering," Chris Dawson, threat intelligence lead at Proofpoint told ZDNet.
servhelper-phishing-email.png

A phishing email used to distribute the malware.
Image: Proofpoint

Those who open the attachments -- and enable macros -- enable ServHelper to be installed on the machine. Researchers note that this new form of malware is actively being developed, with new commands and functionality being added in almost every new campaign since it first appeared.

But ServHelper's primary function has remained unchanged: it serves as a backdoor to allow attackers remote desktop access to the compromised device and allows attackers to hijack user accounts and web profiles -- providing them with vast swathes of information about the infected victim.

That isn't the end of the attack, however, because ServHelper is capable of downloading and executing another malware onto the compromised PC -- FlawedGrace.

FlawedGrace first appeared for a brief period in November 2017 before disappearing and only re-emerging as part of the ServHelper campaign. Researchers suggest that "significant development" has taken place on FlawedGrace, which has been built using object-oriented and multithreaded programming techniques -- a technique designed to make reverse-engineering and analysing the malware harder.

The remote access trojan capabilities of FlawedGrace mean it allows attackers to gain almost full control over an infected device. Given how the campaign targets banks and retailers, it's likely that acquiring money is the ultimate goal of the attacks, be that through stealing banking credentials, or using corporate credentials to gain access to sensitive information which can be traded on for profit.

It's believed that the ServHelper and FlawedGrace campaign remains active alongside another TA505 trojan malware campaign that emerged in late 2018. The group used to focus on ransomware, but has increasingly moved towards information stealers -- and it's likely they've opted to distribute different forms of malware to avoid detection and ensure maximum returns.

"The group has added a variety of malware to their toolkit over the years, with additions in 2018 focusing on RATs and loaders," said Dawson.

"While we can only speculate on the reasoning behind their choices in malware, new malware gives them new opportunities to evade detection and shift, for example, from ransomware to bankers or bankers to RATs, with the accompanying opportunities to follow the money."

Proofpoint has detailed information about Indicators of Compromise for ServHelper and FlawedGrace in their analysis of the malware.
First Aid: IOCs:

52c72a9de2f6e892f07827add85ad913b0541cd5c8449aadc2722f8eb75e548c


SHA256


November 9 “Tunnel” campaign attachment

hxxp://officemysuppbox[.]com/staterepository


URL


November 9 “Tunnel” campaign payload

1b0859ddbdebcb9d2bb46de00d73aa21bc617614b8123054426556783b211bc8


SHA256


November 9 “Tunnel” campaign ServHelper

hxxps://checksolutions[.]pw/ghuae/huadh.php


URL


November 9 “Tunnel” campaign ServHelper C&C

hxxps://rgoianrdfa[.]pw/ghuae/huadh.php


URL


November 9 “Tunnel” campaign ServHelper C&C

hxxps://arhidsfderm[.]pw/ghuae/huadh.php


URL


November 9 “Tunnel” campaign ServHelper C&C









eb66ebb95a3dcecae64c61f611a9332fbf460d1b8039d3ab7e4f220104a4bec4


SHA256


November 15 “Downloader” campaign attachment

hxxp://offficebox[.]com/host32


URL


November 15 “Downloader” campaign payload

3cd7e0a8321259e8446b2a9da775aae674715c74ff4923cfc8ec5102f380d41a


SHA256


November 15 “Downloader” campaign ServHelper









f4b9219f329803dd45afd5646351de456e608dd946830c961ec66c6c25e52cac


SHA256


December 13 “FlawedGrace” campaign attachment

hxxp://office365onlinehome[.]com/host32




URL


December 13 “FlawedGrace” campaign payload

d56429d6d0222022fe8f4cb35a28cd4fb83f87b666a186eb54d9785f01bb4b58


SHA256


December 13 “FlawedGrace” campaign ServHelper

hxxps://afgdhjkrm[.]pw/aggdst/Hasrt.php


URL


December 13 “FlawedGrace” campaign ServHelper C&C

efcee275d23b6e71589452b1cb3095ff92b10ab68cd07957b2ad6be587647b74


SHA256


December 13 “FlawedGrace” campaign FlawedGrace

46.161.27[.]241:443


IP:Port


December 13 “FlawedGrace” campaign FlawedGrace C&C









9fccd107bd0aee3a2f39ad76a49758309c95545d8154b808eec24d2b51dc4579


SHA256


“sethijack” command ServHelper

hxxp://dedsolutions[.]bit/sav/s.php


URL


“sethijack” command ServHelper C&C

hxxp://dedoshop[.]pw/sav/s.php


URL


“sethijack” command ServHelper C&C

hxxp://asgaage[.]pw/sav/s.php


URL


“sethijack” command ServHelper C&C

hxxp://sghee[.]pw/sav/s.php


URL


“sethijack” command ServHelper C&C

a9492312f1258567c3633ed077990fe053776cd576aa60ac7589c6bd7829d549


SHA256


“loaddll” command ServHelper

hxxps://vesecase[.]com/support/form.php


URL


“loaddll” command ServHelper C&C



ET and ETPRO Suricata/Snort Signatures

2833522 ETPRO TROJAN Observed Malicious SSL Cert (HuadhServHelper RAT CnC)

2833552 ETPRO TROJAN HuadhServHelper RAT CnC Domain Observed in SNI

2833881 ETPRO TROJAN Observed Malicious SSL Cert (ServHelper CnC)

2833985 ETPRO TROJAN Observed Malicious SSL Cert (ServHelper CnC)

2834074 ETPRO TROJAN Observed Malicious SSL Cert (ServHelper CnC)

2834233 ETPRO TROJAN ServHelper CnC Inital Checkin

2828489 ETPRO TROJAN FlawedGrace CnC Activity
More info: https://www.zdnet.com/article/this-trojan-attack-adds-a-backdoor-to-your-windows-pc-to-steal-data/?ftag=TRE-03-10aaa6b&bhid=22033606723048855968747532986084

Date added Jan. 10, 2019, 7:04 p.m.
Source ZDNet
Subjects
  • All New Malware Alerts - New Reports / IOCs in
  • .Banking / Finance Alerts
  • Banking Malware - New Reports in
  • FlawedGrace Ransomware / ServHelper (TA505)
  • TA505 Threat Actor / TRat