TA505 threat actors currently launching new malware campaign with a backdoor capability that mainly target the financial institutions via MS Word Documents.
ServHelper backdoor campaign observed in 2018 along with 2 different variants associated to perform 2 different functionality, one is focused on remote desktop functions and another one is downloader variant.
A downloader variant downloads the new malware called FlawedGrace that contains a fully RAT functionality and this malware first observed in November 2017.
TA505 hacking group targeting various institutions and organizations including banks, retail businesses, and restaurants.
Backdoor Infection process
Initially, ServHelper distributed via email along with weaponized Microsoft word document or other attachments that posed as legitimate content.
A November 2018, campaign contains an attached document with Microsoft “.doc”, “.pub”, or “.wiz” file format along with macro that
Since then the same campaign discovered in November 2018 mixture of Microsoft Word attachments with embedded malicious macros, PDF attachments with URLs linking to a fake “Adobe PDF Plugin” webpage linking to the malware.
Once the victims click the link then it immediately communicates with
According to Proofpoint research, there are two distinct variants of ServHelper: a “tunnel” variant and a “downloader” variant. The “tunnel” variant has more features and focuses on setting up reverse SSH tunnels to allow the threat actor to access the infected host via Remote Desktop Protocol (RDP).
Once the malware gain the remote access from the infected machine then it starts to hijack legitimate user accounts or their web browser profiles.
In this case, both variant using the HTTP C&C protocol on port 443 (HTTPS) and, less frequently, port 80 (HTTP
Indicators of Compromise (IOCs)
52c72a9de2f6e892f07827add85ad913b0541cd5c8449aadc2722f8eb75e548c – November 9 “Tunnel” campaign ServHelper
eb66ebb95a3dcecae64c61f611a9332fbf460d1b8039d3ab7e4f220104a4bec4 –November 15 “Downloader” campaign attachment
f4b9219f329803dd45afd5646351de456e608dd946830c961ec66c6c25e52cac –December 13 “FlawedGrace” campaign attachment