FlawedGrace

Malware updated 4 months ago (2024-05-04T17:43:37.519Z)

Download STIX

Preview STIX

FlawedGrace is a notorious malware, a remote access trojan (RAT), that has been used extensively in cyberattacks. It was first brought to light in June 2023 when The DFIR Report revealed its use in Truebot operations. In these operations, following the successful download of a malicious file, Truebot would rename itself and then load FlawedGrace onto the host system. This malware was also delivered via email as a compressed attachment and exploited vulnerabilities to issue commands via the SysAid software. A significant feature of FlawedGrace is its ability to modify registry and print spooler programs that control the order that documents are loaded to a print queue. The Lace Tempest operators and a Russian-speaking gang have been identified as users of FlawedGrace, utilizing it to escalate privileges, establish persistence on compromised systems, and conduct additional operations. The malware has been associated with ransomware such as Cl0p and LockBit, and the TrueBot botnet. Microsoft confirmed this in a tweet, stating that the Russian-speaking gang loads GraceWire, another name for FlawedGrace, onto compromised systems. Once deployed, FlawedGrace creates scheduled tasks and injects payloads into msiexec, enabling it to establish a command and control (C2) connection and load dynamic link libraries (DLLs) for privilege escalation. The US Cybersecurity & Infrastructure Security Agency (CISA) highlighted that during FlawedGrace's execution phase, the RAT stores encrypted payloads within the registry. After breaching networks, the cybercriminals install FlawedGrace to escalate their privileges and establish persistence on the compromised systems. By leveraging Truebot to download FlawedGrace or Cobalt Strike beacons, they gain further network access once they infiltrate the Active Directory server. Hence, the FlawedGrace malware poses a significant threat to cybersecurity, and organizations need to take adequate measures to safeguard their systems.

Description last updated: 2024-05-04T16:28:00.752Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Truebot	5	Truebot is a highly potent malware used by the threat actor group CL0P, which has been linked to various malicious activities aimed at exploiting and damaging computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once embedded,
Gracewire	2	Gracewire is a potent malware that has been deployed by threat actors to exploit and damage computer systems. It is typically delivered through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside a system, it can steal personal information, disrupt operations,

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Rat

Payload

Cobalt Strike

Phishing

Ransomware

Trojan

Loader

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
Get2	Unspecified	4	Get2 is a type of malware, harmful software designed to infiltrate and damage computer systems or devices. It can be unknowingly downloaded through suspicious emails, downloads, or websites, enabling it to steal personal information, disrupt operations, or hold data hostage for ransom. Among the mos
Clop	Unspecified	3	Clop, also known as Cl0p, is a notorious ransomware group responsible for several high-profile cyberattacks. The group specializes in exploiting vulnerabilities in software and systems to gain unauthorized access, exfiltrate sensitive data, and then extort victims by threatening to release the stole
truebot malware	Unspecified	2	Truebot malware is a malicious software that infiltrates computer systems, often without the user's knowledge, to exploit and damage the device. It was primarily delivered by cyber threat actors via malicious phishing email attachments, but newer versions observed in 2023 also gained initial access
Sdbot	Unspecified	2	SDBot is a malicious software, or malware, that has been leveraged by threat actors known as TA505 and CL0P to exploit vulnerabilities in computer systems. It is used as a backdoor to enable the execution of commands and functions in the compromised computer, often without the user's knowledge. The

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
TA505	Unspecified	4	TA505, also known as Cl0p Ransomware Gang and Lace Tempest, is a highly active and sophisticated cybercriminal group. The group has been associated with various high-profile cyber-attacks, demonstrating adaptability through a multi-vector approach to their operations. In June 2023, the U.S. Cybersec
cl0p	Unspecified	2	Cl0p is a threat actor group that has emerged as the most used ransomware in March 2023, dethroning LockBit. The group has successfully exploited zero-day vulnerabilities in the past, but such attacks are relatively rare. Recent research by Malwarebytes highlights the bias of ransomware gangs for at

Source Document References

Information about the FlawedGrace Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	10 months ago	SysAid zero-day exploited by Clop ransomware group
BankInfoSecurity	10 months ago	MOVEit Hackers Turn to SysAid Zero-Day Bug
CERT-EU	a year ago	3 Malware Loaders are Responsible for 80% of Attacks, ReliaQuest Says
CERT-EU	a year ago	US and Canadian Authorities Warn of Increased Truebot Activity
CERT-EU	a year ago	TrueBot: Cyber Security Agencies Issue A Warning
CERT-EU	a year ago	Bitdefender Threat Debrief \| July 2023
CERT-EU	a year ago	Netwrix Auditor RCE Bug Abused in Truebot Malware Campaign \| IT Security News
BankInfoSecurity	a year ago	Updated Truebot Malware Targeting Orgs in US, Canada
CERT-EU	a year ago	SafeBreach Coverage for US-CERT Alert (AA23-187A) – Truebot Malware
CERT-EU	a year ago	CISA, FBI: A New Version of the Truebot Malware Is Actively Used in Attacks
CERT-EU	a year ago	Truebot RCE attacks exploit critical Netwrix Auditor bug
Securityaffairs	a year ago	CISA and FBI warn of Truebot infecting US and Canada based orgs
CERT-EU	a year ago	Cybersecurity Agencies Sound Alarm on Rising TrueBot Malware Attacks
CISA	a year ago	Increased Truebot Activity Infects U.S. and Canada Based Networks \| CISA
Flashpoint	a year ago	No title
CISA	a year ago	#StopRansomware: CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability \| CISA
CERT-EU	a year ago	#StopRansomware: CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability – Cyber Safe NV
MITRE	2 years ago	ServHelper and FlawedGrace - New malware introduced by TA505 \| Proofpoint
MITRE	2 years ago	TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader \| Proofpoint US
MITRE	2 years ago	Threat Assessment: Clop Ransomware