In January, another company, Proofpoint, had said it had found two strains of this Windows pestilence, one directed at remote desktop functions and the second which is primarily a downloader for a remote access trojan known as FlawedGrace.
TA505 has also been associated with spreading other malware like Dridex, and also the Locky ransomware. ServHelper appears to be used for targeting banks, retail businesses and restaurants.
Deep Instinct malware and cyber intelligence specialist Shaul Vilkomir-Preisman told iTWire that TA505 was not associated with any specific country, but there were indications that it was from an Eastern European nation.
Vilkomir-Preisman said the malware used a certificate from Thawte to get past the defences of an infected machine. "We have contacted DigiCert (who operate Thawte, the issuing CA) and reported this. They were thankful for the report and revoked the certificate," he added.
Asked why threats of this kind appeared to affect only Windows systems, Vilkomir-Preisman said it was not only Windows systems there were at danger from this threat. "In recent years malware for non-Windows system has seen a significant rise, and is expected to be on the rise with the ever increasing popularity of IoT devices which tend to be very vulnerable to attack in their off-the-shelf configuration," he said.
"Additionally, once an attacker has a foot in the door, and starts to move laterally, he can just as easily target non-Windows machines which are found on the network."
He said the new ServHelper variant looked to be aimed at establishing a long-term presence on a network. "This malware is actively gathering lists of users on domains, and finding out who the domain admins are, and unlike most malware does not establish persistency by default. This is very targeted behaviour, aimed at establishing a long term presence on a network."
Vilkomir-Preisman said Deep Instinct had observed that countries in North America and south-east Asia appeared to be the main targets of this malware.