A well-resourced and prolific hacking group is distributing a new strain of malware that gives the hackers remote desktop access as part of an information-stealing campaign targeting banks, retailers and businesses.
ServHelper malware has been active since November last year and installs a backdoor onto Windows PCs, providing attackers with remote access to compromised machines. But that isn't where the attack ends: ServHelper also acts as a downloader for FlawedGrace, a family of trojan malware which first appeared in November 2017 and is described as "a full-featured" Remote Access Trojan.
The combined ServHelper and FlawedGrace campaign has been detailed by researchers at Proofpoint. They attribute the attacks to TA505, a cybercrime group that has launched some of the largest cyber attacks of of recent years, such as the Dridex banking trojan and Locky ransomware. The group has been active since at least 2014.
ServHelper campaigns begin by spamming out phishing emails. The messages are basic, simply asking potential victims to open documents, often claimed to relate to bank transfers. However, because of the sheer number of messages sent at a time -- tens of thousands of emails are distributed at once -- the attackers seemingly believe they can catch out a significant proportion of users, despite the basic nature of the phishing attacks.
"TA505 has typically not employed heavy social engineering, relying instead on volume to find unwitting victims. That said, human curiosity and our conditioning to rapidly open emails and attachments are often enough even without sophisticated social engineering," Chris Dawson, threat intelligence lead at Proofpoint told ZDNet.
A phishing email used to distribute the malware.
Image: ProofpointThose who open the attachments -- and enable macros -- enable ServHelper to be installed on the machine. Researchers note that this new form of malware is actively being developed, with new commands and functionality being added in almost every new campaign since it first appeared.
But ServHelper's primary function has remained unchanged: it serves as a backdoor to allow attackers remote desktop access to the compromised device and allows attackers to hijack user accounts and web profiles -- providing them with vast swathes of information about the infected victim.
That isn't the end of the attack, however, because ServHelper is capable of downloading and executing another malware onto the compromised PC -- FlawedGrace.
FlawedGrace first appeared for a brief period in November 2017 before disappearing and only re-emerging as part of the ServHelper campaign. Researchers suggest that "significant development" has taken place on FlawedGrace, which has been built using object-oriented and multithreaded programming techniques -- a technique designed to make reverse-engineering and analysing the malware harder.
The remote access trojan capabilities of FlawedGrace mean it allows attackers to gain almost full control over an infected device. Given how the campaign targets banks and retailers, it's likely that acquiring money is the ultimate goal of the attacks, be that through stealing banking credentials, or using corporate credentials to gain access to sensitive information which can be traded on for profit.
SEE: What is malware? Everything you need to know about viruses, trojans and malicious software
It's believed that the ServHelper and FlawedGrace campaign remains active alongside another TA505 trojan malware campaign that emerged in late 2018. The group used to focus on ransomware, but has increasingly moved towards information stealers -- and it's likely they've opted to distribute different forms of malware to avoid detection and ensure maximum returns.
"The group has added a variety of malware to their toolkit over the years, with additions in 2018 focusing on RATs and loaders," said Dawson.
"While we can only speculate on the reasoning behind their choices in malware, new malware gives them new opportunities to evade detection and shift, for example, from ransomware to bankers or bankers to RATs, with the accompanying opportunities to follow the money."
Proofpoint has detailed information about Indicators of Compromise for ServHelper and FlawedGrace in their analysis of the malware.
READ MORE ON CYBER CRIME