A long-established and successful cybercrime group known as TA505 has recently increased its activity and is using a variety of techniques and tools to install the ServHelper RAT on compromised systems, including piggybacking on other malware and using signed installers for other software.
TA505 has been around for several years and is known to use a wide range of malware and tools in its operations. The group has used Dridex, Trickbot and SDBot in the past, but the ServHelper RAT is the piece of malware most closely associated with its campaigns. Researchers from Cisco Talos have been tracking a recent uptick in ServHelper installations on compromised systems, some of which are from compromised websites.
“One path for infection starts with the compromise of a legitimate site that hosts cryptographically signed MSI installers. These install popular software such as Discord. However, they also launch a variant of the Raccoon stealer, which downloads and installs a ServHelper RAT if instructed by the command and control (C2) server,” Vanja Svajcer of Cisco Talos wrote in a new analysis of the activity.
“Attackers also deploy the ServHelper RAT with a variant of the Amadey malware which gets a full command line from the server to install an initial PowerShell downloader component for ServHelper.”
The ServHelper malware is a full-featured remote access tool that provides complete access to a compromised system. Once on a new machine, the RAT can log keystrokes, steal sensitive data and send it to a remote C2 server, and perform a range of other malicious activities. TA505 is a prolific cybercrime group that is financially motivated and has been known to use the Clop ransomware in the past, although the arrest of several alleged members of the Clop operation earlier this year has hampered that part of the scheme.
Talos began digging into the new campaign by TA505 after finding a ping to a random IP address in some telemetry. The IP address hosted a PowerShell script and the researchers found that it was part of a cryptomining operations. But that was just the start.
“What started as an investigation into an Ethereum cryptominer, turned out to be a never-ending whirlwind of different malware families. Apart from the usual suspects, often attributed to TA505, such as the Raccoon stealer and Amadey stealer/loader, we have encountered a couple of newer techniques from this group. TA505 now uses an MSI installer signed with a valid certificate and a GoLang go-clr-based dropper that can load a .NET assembly from memory,” Svajcer said.
The cryptomining activity associated with this campaign includes both Ethereum and Monero, and is done by process injection. Cryptominers are a popular sideline for many cybercrime groups, as they’re relatively easy to install and don’t take much effort to maintain.
“The Ethminer payload is saved into the drive as C:\windows\system32\mui_pack_es.json as a base64-encoded file, which is also encrypted using XOR with the byte-based key "Asfianweiw". The Monero mining XMRig payload may be downloaded into C:\windows\system32\mui_pack.json and decrypted before loading into memory using the same method. This tactic is likely designed to avoid the detection of PE files by anti-malware software,” Svajcer said.
Despite the hit that the group took after the Clop arrests, TA505 doesn’t seem to be having any trouble finding new ways to monetize its operations at the moment.