The latest malware from TA505 has been seen targeting banks, retailers and restaurants with two different versions.
A new backdoor named ServHelper has been spotted in the wild, acting as both a remote desktop agent as well as a downloader for a RAT called FlawedGrace.
According to Proofpoint, the prolific cybercriminal gang known as TA505 developed ServHelper, which has two variants: one focused on remote desktop functions and a second that primarily functions as a downloader. It’s named after the file names that are associated with the infection; and, a sample from one campaign used command and control (C2) URIs containing “/rest/serv.php.”
The primary motive is, as usual, financial: “TA505 appears to be actively targeting banks, retail businesses, and restaurants as they distribute these malware families,” said Proofpoint researchers, in a posting this week.