Delaware, USA – January 14, 2019 – Malware researchers from Proofpoint enounce about a new information-stealing campaign targeting the financial and retail sectors. New malware families giving the hackers RDP access to the compromised network and are distributed via phishing emails with MS Word, Publisher, and PDF files. In the monitored campaigns, adversaries used not only macros in documents to drop malware, but also used social engineering techniques to lure the victim to a webpage with a fake plugin or direct links to ServHelper.
ServHelper which appeared in November 2018 acquires new functionality in each attack and is known in two variants. Adversaries use ‘downloader’ variant as a simple dropper for the FlawedGrace remote access trojan to gain access to sensitive information. The second variant of ServHelper is used to create a reverse SSH tunnel and provide access to the attacked machine via RDP. Once the remote desktop access is established, the ServHelper gains functionality to steel legitimate accounts and harvest browser credentials.
The researchers attribute the ServHelper and FlawedGrace campaigns to TA505 hacking group who began their attacks in 2014 and grew from small targeted ransomware attacks to global threats. TA505 is known for using Necurs botnet for launching massive spam attacks targeting victims with Dridex and Shifu Trojans, Locky ransomware, and Trickbot. Being highly adaptive, TA505 is improving and shifting techniques targeting the financial sector. To uncover the compromise of your RDP connections, you can use a VPN Security Monitor from Threat Detection Marketplace, which monitors events tied to access control and spots suspicious connections to the organization’s network: https://my.socprime.com/en/integrations/vpn-security-monitor-arcsight