SYMBOLCOMMON_NAMEaka. SYNONYMS
win.flawedgrace (Back to overview)

FlawedGrace

aka: GraceWire

Actor(s): TA505


According to ProofPoint, FlawedGrace is written in C++ and can be categorized as a Remote Access Trojan (RAT). It seems to have been developed in the second half of 2017 mainly.

FlawedGrace uses a series of commands:
FlawedGrace also uses a series of commands, provided below for reference:
* desktop_stat
* destroy_os
* target_download
* target_module_load
* target_module_load_external
* target_module_unload
* target_passwords
* target_rdp
* target_reboot
* target_remove
* target_script
* target_servers
* target_update
* target_upload

References
2022-12-08Cisco TalosTiago Pereira
@online{pereira:20221208:breaking:7f00030, author = {Tiago Pereira}, title = {{Breaking the silence - Recent Truebot activity}}, date = {2022-12-08}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/}, language = {English}, urldate = {2022-12-12} } Breaking the silence - Recent Truebot activity
Clop Cobalt Strike FlawedGrace Raspberry Robin Silence Teleport
2021-12-01NCC GroupNikolaos Pantazopoulos, Michael Sandee
@online{pantazopoulos:20211201:tracking:b67c8f7, author = {Nikolaos Pantazopoulos and Michael Sandee}, title = {{Tracking a P2P network related to TA505}}, date = {2021-12-01}, organization = {NCC Group}, url = {https://research.nccgroup.com/2021/12/01/tracking-a-p2p-network-related-with-ta505/}, language = {English}, urldate = {2021-12-01} } Tracking a P2P network related to TA505
FlawedGrace Necurs
2021-10-21CrowdStrikeAlex Clinton, Tasha Robinson
@online{clinton:20211021:stopping:3c26152, author = {Alex Clinton and Tasha Robinson}, title = {{Stopping GRACEFUL SPIDER: Falcon Complete’s Fast Response to Recent SolarWinds Serv-U Exploit Campaign}}, date = {2021-10-21}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-solarwinds-serv-u-exploit-campaign/}, language = {English}, urldate = {2021-11-02} } Stopping GRACEFUL SPIDER: Falcon Complete’s Fast Response to Recent SolarWinds Serv-U Exploit Campaign
Cobalt Strike FlawedGrace TinyMet
2021-10-19ProofpointZydeca Cass, Axel F, Crista Giering, Matthew Mesa, Georgi Mladenov, Brandon Murphy
@online{cass:20211019:whatta:4d969e1, author = {Zydeca Cass and Axel F and Crista Giering and Matthew Mesa and Georgi Mladenov and Brandon Murphy}, title = {{Whatta TA: TA505 Ramps Up Activity, Delivers New FlawedGrace Variant}}, date = {2021-10-19}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/whatta-ta-ta505-ramps-activity-delivers-new-flawedgrace-variant}, language = {English}, urldate = {2021-10-24} } Whatta TA: TA505 Ramps Up Activity, Delivers New FlawedGrace Variant
FlawedGrace MirrorBlast
2021-03-02Möbius Strip Reverse EngineeringRolf Rolles
@online{rolles:20210302:exhaustivelyanalyzed:ea1e91f, author = {Rolf Rolles}, title = {{An Exhaustively-Analyzed IDB for FlawedGrace}}, date = {2021-03-02}, organization = {Möbius Strip Reverse Engineering}, url = {https://www.msreverseengineering.com/blog/2021/3/2/an-exhaustively-analyzed-idb-for-flawedgrace}, language = {English}, urldate = {2021-03-04} } An Exhaustively-Analyzed IDB for FlawedGrace
FlawedGrace
2020-08-20CERT-FRCERT-FR
@techreport{certfr:20200820:development:d518522, author = {CERT-FR}, title = {{Development of the Activity of the TA505 Cybercriminal Group}}, date = {2020-08-20}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf}, language = {English}, urldate = {2020-08-28} } Development of the Activity of the TA505 Cybercriminal Group
AndroMut Bart Clop Dridex FlawedAmmyy FlawedGrace Get2 Locky Marap QuantLoader SDBbot ServHelper tRat TrickBot
2020-06-22CERT-FRCERT-FR
@techreport{certfr:20200622:volution:fba1cfa, author = {CERT-FR}, title = {{Évolution De Lactivité du Groupe Cybercriminel TA505}}, date = {2020-06-22}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf}, language = {French}, urldate = {2020-06-24} } Évolution De Lactivité du Groupe Cybercriminel TA505
Amadey AndroMut Bart Clop Dridex FlawedGrace Gandcrab Get2 GlobeImposter Jaff Locky Marap Philadephia Ransom QuantLoader Scarab Ransomware SDBbot ServHelper Silence tRat TrickBot
2020-06-17Twitter (@MsftSecIntel)Microsoft Security Intelligence
@online{intelligence:20200617:thread:b4b74d5, author = {Microsoft Security Intelligence}, title = {{A tweet thread on TA505 using CAPTCHA to avoid detection and infecting victims with FlawedGrace}}, date = {2020-06-17}, organization = {Twitter (@MsftSecIntel)}, url = {https://twitter.com/MsftSecIntel/status/1273359829390655488}, language = {English}, urldate = {2020-06-18} } A tweet thread on TA505 using CAPTCHA to avoid detection and infecting victims with FlawedGrace
FlawedGrace
2020-05-21Intel 471Intel 471
@online{471:20200521:brief:048d164, author = {Intel 471}, title = {{A brief history of TA505}}, date = {2020-05-21}, organization = {Intel 471}, url = {https://intel471.com/blog/a-brief-history-of-ta505}, language = {English}, urldate = {2022-02-14} } A brief history of TA505
AndroMut Bart Dridex FlawedAmmyy FlawedGrace Gandcrab Get2 GlobeImposter Jaff Kegotip Locky Necurs Philadephia Ransom Pony QuantLoader Rockloader SDBbot ServHelper Shifu Snatch TrickBot
2020-03-26TelekomThomas Barabosch
@online{barabosch:20200326:ta505s:24d9805, author = {Thomas Barabosch}, title = {{TA505's Box of Chocolate - On Hidden Gems packed with the TA505 Packer}}, date = {2020-03-26}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672}, language = {English}, urldate = {2020-03-27} } TA505's Box of Chocolate - On Hidden Gems packed with the TA505 Packer
Amadey Azorult Clop FlawedGrace Get2 SDBbot Silence TinyMet TA505
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020SecureworksSecureWorks
@online{secureworks:2020:gold:f38f910, author = {SecureWorks}, title = {{GOLD TAHOE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-tahoe}, language = {English}, urldate = {2020-05-23} } GOLD TAHOE
Clop FlawedAmmyy FlawedGrace Get2 SDBbot ServHelper TA505
2019-01-14Möbius Strip Reverse EngineeringRolf Rolles
@online{rolles:20190114:quick:42a2552, author = {Rolf Rolles}, title = {{A Quick Solution to an Ugly Reverse Engineering Problem}}, date = {2019-01-14}, organization = {Möbius Strip Reverse Engineering}, url = {https://www.msreverseengineering.com/blog/2019/1/14/a-quick-solution-to-an-ugly-reverse-engineering-problem}, language = {English}, urldate = {2020-01-13} } A Quick Solution to an Ugly Reverse Engineering Problem
FlawedGrace
2019-01-09ProofpointDennis Schwarz, Proofpoint Staff
@online{schwarz:20190109:servhelper:e20586c, author = {Dennis Schwarz and Proofpoint Staff}, title = {{ServHelper and FlawedGrace - New malware introduced by TA505}}, date = {2019-01-09}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505}, language = {English}, urldate = {2019-12-20} } ServHelper and FlawedGrace - New malware introduced by TA505
FlawedGrace ServHelper
Yara Rules
[TLP:WHITE] win_flawedgrace_auto (20230125 | Detects win.flawedgrace.)
rule win_flawedgrace_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.flawedgrace."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.flawedgrace"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c6851ed3ffff00 c6851fd3ffff4c c68520d3ffff89 c68521d3ffff6c c68522d3ffff24 c68523d3ffff28 c68524d3ffff48 }
            // n = 7, score = 200
            //   c6851ed3ffff00       | mov                 byte ptr [ebp - 0x2ce2], 0
            //   c6851fd3ffff4c       | mov                 byte ptr [ebp - 0x2ce1], 0x4c
            //   c68520d3ffff89       | mov                 byte ptr [ebp - 0x2ce0], 0x89
            //   c68521d3ffff6c       | mov                 byte ptr [ebp - 0x2cdf], 0x6c
            //   c68522d3ffff24       | mov                 byte ptr [ebp - 0x2cde], 0x24
            //   c68523d3ffff28       | mov                 byte ptr [ebp - 0x2cdd], 0x28
            //   c68524d3ffff48       | mov                 byte ptr [ebp - 0x2cdc], 0x48

        $sequence_1 = { c685e8d9ffff00 c685e9d9ffff00 c685ead9ffff00 c685ebd9ffff00 c685ecd9ffff00 c685edd9ffff00 c685eed9ffff00 }
            // n = 7, score = 200
            //   c685e8d9ffff00       | mov                 byte ptr [ebp - 0x2618], 0
            //   c685e9d9ffff00       | mov                 byte ptr [ebp - 0x2617], 0
            //   c685ead9ffff00       | mov                 byte ptr [ebp - 0x2616], 0
            //   c685ebd9ffff00       | mov                 byte ptr [ebp - 0x2615], 0
            //   c685ecd9ffff00       | mov                 byte ptr [ebp - 0x2614], 0
            //   c685edd9ffff00       | mov                 byte ptr [ebp - 0x2613], 0
            //   c685eed9ffff00       | mov                 byte ptr [ebp - 0x2612], 0

        $sequence_2 = { 8945e8 6a14 0f1100 c7401000000000 c6400401 c7400c00000000 c7400800000000 }
            // n = 7, score = 200
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax
            //   6a14                 | push                0x14
            //   0f1100               | movups              xmmword ptr [eax], xmm0
            //   c7401000000000       | mov                 dword ptr [eax + 0x10], 0
            //   c6400401             | mov                 byte ptr [eax + 4], 1
            //   c7400c00000000       | mov                 dword ptr [eax + 0xc], 0
            //   c7400800000000       | mov                 dword ptr [eax + 8], 0

        $sequence_3 = { c6850af4ffff17 c6850bf4ffff03 c6850cf4fffffa c6850df4ffff83 c6850ef4ffffc7 c6850ff4ffff04 c68510f4ffff66 }
            // n = 7, score = 200
            //   c6850af4ffff17       | mov                 byte ptr [ebp - 0xbf6], 0x17
            //   c6850bf4ffff03       | mov                 byte ptr [ebp - 0xbf5], 3
            //   c6850cf4fffffa       | mov                 byte ptr [ebp - 0xbf4], 0xfa
            //   c6850df4ffff83       | mov                 byte ptr [ebp - 0xbf3], 0x83
            //   c6850ef4ffffc7       | mov                 byte ptr [ebp - 0xbf2], 0xc7
            //   c6850ff4ffff04       | mov                 byte ptr [ebp - 0xbf1], 4
            //   c68510f4ffff66       | mov                 byte ptr [ebp - 0xbf0], 0x66

        $sequence_4 = { c685a0f0ffff00 c685a1f0ffff00 c685a2f0ffff89 c685a3f0ffff45 c685a4f0fffffc c685a5f0ffff50 c685a6f0ffff6a }
            // n = 7, score = 200
            //   c685a0f0ffff00       | mov                 byte ptr [ebp - 0xf60], 0
            //   c685a1f0ffff00       | mov                 byte ptr [ebp - 0xf5f], 0
            //   c685a2f0ffff89       | mov                 byte ptr [ebp - 0xf5e], 0x89
            //   c685a3f0ffff45       | mov                 byte ptr [ebp - 0xf5d], 0x45
            //   c685a4f0fffffc       | mov                 byte ptr [ebp - 0xf5c], 0xfc
            //   c685a5f0ffff50       | mov                 byte ptr [ebp - 0xf5b], 0x50
            //   c685a6f0ffff6a       | mov                 byte ptr [ebp - 0xf5a], 0x6a

        $sequence_5 = { c68576c7ffff49 c68577c7ffffb8 c68578c7ffffb0 c68579c7ffff43 c6857ac7ffff00 c6857bc7ffff40 c6857cc7ffff01 }
            // n = 7, score = 200
            //   c68576c7ffff49       | mov                 byte ptr [ebp - 0x388a], 0x49
            //   c68577c7ffffb8       | mov                 byte ptr [ebp - 0x3889], 0xb8
            //   c68578c7ffffb0       | mov                 byte ptr [ebp - 0x3888], 0xb0
            //   c68579c7ffff43       | mov                 byte ptr [ebp - 0x3887], 0x43
            //   c6857ac7ffff00       | mov                 byte ptr [ebp - 0x3886], 0
            //   c6857bc7ffff40       | mov                 byte ptr [ebp - 0x3885], 0x40
            //   c6857cc7ffff01       | mov                 byte ptr [ebp - 0x3884], 1

        $sequence_6 = { c685e7ddffff00 c685e8ddffff00 c685e9ddffff00 c685eaddffff00 c685ebddffff00 c685ecddffff00 c685edddffff00 }
            // n = 7, score = 200
            //   c685e7ddffff00       | mov                 byte ptr [ebp - 0x2219], 0
            //   c685e8ddffff00       | mov                 byte ptr [ebp - 0x2218], 0
            //   c685e9ddffff00       | mov                 byte ptr [ebp - 0x2217], 0
            //   c685eaddffff00       | mov                 byte ptr [ebp - 0x2216], 0
            //   c685ebddffff00       | mov                 byte ptr [ebp - 0x2215], 0
            //   c685ecddffff00       | mov                 byte ptr [ebp - 0x2214], 0
            //   c685edddffff00       | mov                 byte ptr [ebp - 0x2213], 0

        $sequence_7 = { 8d85fcc1ffff 8d8dfce5ffff 83bdc0bfffff00 0f44c1 898548bfffff ba001a0000 b800240000 }
            // n = 7, score = 200
            //   8d85fcc1ffff         | lea                 eax, [ebp - 0x3e04]
            //   8d8dfce5ffff         | lea                 ecx, [ebp - 0x1a04]
            //   83bdc0bfffff00       | cmp                 dword ptr [ebp - 0x4040], 0
            //   0f44c1               | cmove               eax, ecx
            //   898548bfffff         | mov                 dword ptr [ebp - 0x40b8], eax
            //   ba001a0000           | mov                 edx, 0x1a00
            //   b800240000           | mov                 eax, 0x2400

        $sequence_8 = { c685abcdffff85 c685accdffff79 c685adcdffffff c685aecdffffff c685afcdffffff c685b0cdffffe8 c685b1cdffff05 }
            // n = 7, score = 200
            //   c685abcdffff85       | mov                 byte ptr [ebp - 0x3255], 0x85
            //   c685accdffff79       | mov                 byte ptr [ebp - 0x3254], 0x79
            //   c685adcdffffff       | mov                 byte ptr [ebp - 0x3253], 0xff
            //   c685aecdffffff       | mov                 byte ptr [ebp - 0x3252], 0xff
            //   c685afcdffffff       | mov                 byte ptr [ebp - 0x3251], 0xff
            //   c685b0cdffffe8       | mov                 byte ptr [ebp - 0x3250], 0xe8
            //   c685b1cdffff05       | mov                 byte ptr [ebp - 0x324f], 5

        $sequence_9 = { c685f6f1ffff8d c685f7f1ffff7d c685f8f1ffffc4 c685f9f1ffff8b c685faf1ffff0d c685fbf1ffff4c c685fcf1ffff33 }
            // n = 7, score = 200
            //   c685f6f1ffff8d       | mov                 byte ptr [ebp - 0xe0a], 0x8d
            //   c685f7f1ffff7d       | mov                 byte ptr [ebp - 0xe09], 0x7d
            //   c685f8f1ffffc4       | mov                 byte ptr [ebp - 0xe08], 0xc4
            //   c685f9f1ffff8b       | mov                 byte ptr [ebp - 0xe07], 0x8b
            //   c685faf1ffff0d       | mov                 byte ptr [ebp - 0xe06], 0xd
            //   c685fbf1ffff4c       | mov                 byte ptr [ebp - 0xe05], 0x4c
            //   c685fcf1ffff33       | mov                 byte ptr [ebp - 0xe04], 0x33

    condition:
        7 of them and filesize < 966656
}
Download all Yara Rules