FlawedGrace
FlawedGrace is a full-featured remote access trojan (RAT) first observed in November 2017 and associated in reporting with TA505, including later CL0P-linked activity. It has been delivered as a secondary payload by TA505 malware such as ServHelper and Get2, including phishing campaigns using macro-enabled Microsoft Office and Publisher attachments, PDF lures linking to fake Adobe plugin pages, direct executable URLs, and malicious Excel documents embedding Get2 as an OLE object. In 2019 reporting, TA505 campaigns used Get2 to download FlawedGrace alongside other payloads including FlawedAmmyy, Snatch, and SDBbot. Reporting also states that in 2019 TA505 leveraged CL0P ransomware as a final payload in a phishing campaign involving a macro-enabled document that used the Get2 dropper to download SDBbot and FlawedGrace.
FlawedGrace is described as written in C++ using object-oriented and multithreaded techniques. It uses a custom encrypted binary command-and-control protocol over port 443 and has been described as having a sophisticated, high-performance, robust, and flexible networking component. One analysis states it uses a custom and complex virtual filesystem for configuration management and command-and-control communications. In an analyzed sample, encrypted configuration data including C2 IPs and ports was stored in files such as C:\ProgramData\21851a60.dat using AES-CBC with the hardcoded key c3oeCSIfx0J6UtcV. Reported commands include target_download, target_upload, target_rdp, target_passwords, target_script, and destroy_os. MITRE ATT&CK mapping in the content associates FlawedGrace with obfuscated files or information via encrypted or encoded files.
FlawedGrace has also been observed in post-exploitation and persistence workflows. In incidents involving exploitation of SolarWinds Serv-U CVE-2021-35211, NCC Group reported attackers linked to TA505/CL0P using PowerShell to deploy Cobalt Strike and then hijacking the legitimate RegIdleBackup scheduled task by abusing its COM handler to load FlawedGrace RAT. The reporting notes that altered COM handler CLSIDs and Base64-encoded registry objects associated with a FlawedGrace loader were indicators of compromise in those cases. Additional artifacts referenced in the content include a YARA rule named Windows.Trojan.FlawedGrace and sample hashes for the main executable from a reverse-engineering writeup: SHA-1 9bb72ae1dc6c49806064992e0850dc8cb02571ed and MD5 bc91e2c139369a1ae219a11cbd9a243b.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
...abusing the COM handler associated with it to execute malicious code, leading to FlawedGrace RAT.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Get2 was, in turn, observed downloading FlawedGrace, FlawedAmmyy, Snatch, and SDBbot (a new RAT) as secondary payloads.
rule Windows_Trojan_FlawedGrace_8c5eb04b { ... threat_name = "Windows.Trojan.FlawedGrace" ... }
Techniques & procedures
8 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Stealth
2 techniques
Stealth
The content repeatedly describes payloads, strings, configuration files, scripts, URLs, and binaries being obfuscated or encoded using Base64, XOR, RC4, AES, RSA, hex encoding, custom algorithms, and other methods across many malware families and threat actors.
Credential Access
1 technique
Credential Access
Command and Control
3 techniques
Command and Control
FlawedAmmyy / FlawedGrace remote access trojan (RAT) collects information and attempts to communicate with the Command and Control (C2) server to enable the download of additional malware components [T1071], [T1105].
IOCs tracked for this family
11 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
12 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Like the previous two entries in this series on ComRAT v4 and FlawedGrace, I did this analysis as part of my preparation for an upcoming class on C++ reverse engineering.
Remote access trojan used by TA505 for persistence after exploitation, loaded via a hijacked scheduled task COM handler.
Remote Access Trojan; in these incidents its loader was stored as Base64-encoded strings in registry CLSID objects and executed via hijacking the RegIdleBackup scheduled task COM handler for persistence.
Remote access trojan; in these incidents it is delivered via scheduled task (RegIdleBackup) COM handler hijacking, with a loader stored as Base64-encoded strings in the registry.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.