GraceWrapper: TA505’S post-exploitation enabler

Deep dive into the GraceWrapper malware and how it operates.

Learn more about the return of threat actor group TA505, and their dangerous RAT variant. In this in-depth report, Outpost24’s KrakenLabs shares findings from the analysis of the Mirrorblast spam campaign, the last known spam operation attributed to TA505.

Within the convoluted sequence of malware pieces involved in the attack, one is believed to be an updated version of the FlawedGrace RAT, due to the evident relations in its code and behavior similarities. This new component, which we have dubbed GraceWrapper, appears to hinder RAT detection while also facilitating post-exploitation tool deployment in infected machines.