TA505 At It Again: Variety is the Spice of ServHelper and FlawedAmmyy

mood · Aug 27, 2019

TA505 At It Again: Variety is the Spice of ServHelper and FlawedAmmyy
August 27, 2019
https://blog.trendmicro.com/trendla...ty-is-the-spice-of-servhelper-and-flawedammyy

Despite the changes, TA505 continues to use either FlawedAmmyy RAT (remote access trojan) or ServHelper as payloads. However, over the last nine campaigns since our June report, they also started using .ISO image attachments as the point of entry, as well as a .NET downloader, a new style for macro delivery, a newer version of ServHelper, and a .DLL variant of FlawedAmmyy downloader.
.ISO, enabled macros for entry dropping ServHelper or FlawedAmmyy
We noticed that the group became active again in the middle of July, targeting Turkish and Serbian banks with emails that had .ISO file attachments as a means of entry. While the method is not new, the change in file type may yield successful infections given the unusual malware delivery technique.

The changes and adjustments that TA505 made from the original ServHelper and FlawedAmmyy routines may indicate that the group is experimenting and testing to determine which forms of obfuscation can bypass detections, resulting in more financial returns.
As they continue to target businesses in different sectors, we can expect TA505 to keep using phishing and social engineering techniques to compromise systems.
Click to expand...

mood · Aug 13, 2021

New TA505 Campaign Uses Signed Files to Drop ServHelper Malware
August 12, 2021
https://duo.com/decipher/new-ta505-campaign-uses-signed-files-to-drop-servhelper-malware

A long-established and successful cybercrime group known as TA505 has recently increased its activity and is using a variety of techniques and tools to install the ServHelper RAT on compromised systems, including piggybacking on other malware and using signed installers for other software.

TA505 has been around for several years and is known to use a wide range of malware and tools in its operations. The group has used Dridex, Trickbot and SDBot in the past, but the ServHelper RAT is the piece of malware most closely associated with its campaigns. Researchers from Cisco Talos have been tracking a recent uptick in ServHelper installations on compromised systems, some of which are from compromised websites.

“One path for infection starts with the compromise of a legitimate site that hosts cryptographically signed MSI installers. These install popular software such as Discord. However, they also launch a variant of the Raccoon stealer, which downloads and installs a ServHelper RAT if instructed by the command and control (C2) server,” Vanja Svajcer of Cisco Talos wrote in a new analysis of the activity.
Click to expand...

Cisco Talos: Signed MSI files, Raccoon and Amadey are used for installing ServHelper RAT

News summary

Group TA505 has been active for at least seven years, making wide-ranging connections with other threat actors involved in ransomware, stealing credit card numbers and exfiltrating data. One of the common tools in TA505's arsenal is ServHelper. In mid-June, Cisco Talos detected an increase in ServHelper's activity. We investigated the activity and discovered a set of intertwined malware families and TTPs.

We found that ServHelper is being installed onto the targeted systems using several different mechanisms, ranging from fake installers for popular software to using other malware families such as Raccoon and Amadey as the installation proxies.

This threat demonstrates several techniques of the MITRE ATT&CK framework, most notably Scripting - T1064, PowerShell - T1059.001, Process Injection - T1055, Non-Standard Port - T1571, Remote Access Software - T1219, Input Capture - T1056, Obfuscated Files or Information - T1027, Ingress Tool Transfer - T1105, and Registry Run Keys/Startup Folder - T1547.001.

Click to expand...

Log in or Sign up

TA505 At It Again: Variety is the Spice of ServHelper and FlawedAmmyy

mood Updates Team

mood Updates Team