FlawedGrace RAT

FlawedGrace is the name of a fully-fledged RAT (Remote Access Threat) that is part of the threatening arsenal of the financially motivated gang of cybercriminals tracked as TA505 (or Hive0065). The group has been active since at least 2014 and is among the most prolific ones with multiple attack campaigns being attributed to it. Another distinguishing characteristic of TA505 is its proclivity to implement frequent changes to both their TTPs (Tactics, Techniques, and Procedures), as well as malware threat types. The group is has been observed carrying out massive email spam campaigns delivering the Dridex banking Trojan, before moving on to distributing the Locky and Jaff Ransomware threats, the TrickBot banking Trojan and more. 

FlawedGrace Details

The first time that the FlawedGrace RAT was detected by infosec researchers was in November 2017. It is a powerful RAT written in the C++ programming language. It is capable of recognizing multiple incoming commands from a Command-and-Control server sent via a custom binary protocol using port 443. The threat can be instructed to fetch additional corrupted modules and then load and execute them. It also can download and exfiltrate chosen files, collect sensitive user information, such as passwords and more.  

In the latest attack operations carried out by TA505, an updated version of the FlawedGrace RAT was deployed. While the full analysis of the changes is still ongoing, so far the researchers have observed that the threat now employs encrypted strings and obfuscated API calls. Another difference was found in the way the threat stored its configuration. The initial or default configuration is stored on the system as an encrypted resource. Afterward, it is split in two -  a current configuration instance placed in a mapped memory region and a persistence mechanism injected into the system's Registry.