Quote:A well-resourced and prolific hacking group is distributing a new strain of malware that gives the hackers remote desktop access as part of an information-stealing campaign targeting banks, retailers and businesses.

ServHelper malware has been active since November last year and installs a backdoor onto Windows PCs, providing attackers with remote access to compromised machines. But that isn't where the attack ends: ServHelper also acts as a downloader for FlawedGrace, a family of trojan malware which first appeared in November 2017 and is described as "a full-featured" Remote Access Trojan.

The combined ServHelper and FlawedGrace campaign has been detailed by researchers at Proofpoint. They attribute the attacks to TA505, a cybercrime group that has launched some of the largest cyber attacks of of recent years, such as the Dridex banking trojan and Locky ransomware. The group has been active since at least 2014.

ServHelper campaigns begin by spamming out phishing emails. The messages are basic, simply asking potential victims to open documents, often claimed to relate to bank transfers. However, because of the sheer number of messages sent at a time -- tens of thousands of emails are distributed at once -- the attackers seemingly believe they can catch out a significant proportion of users, despite the basic nature of the phishing attacks.