1. Home
  2. Software
  3. ServHelper

ServHelper

ServHelper is a backdoor first observed in late 2018. The backdoor is written in Delphi and is typically delivered as a DLL file.[1]

ID: S0382
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 29 May 2019
Last Modified: 14 April 2023
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1036 .010 伪装: Masquerade Account Name

ServHelper has created a new user named supportaccount.[1]
Enterprise T1136 .001 创建账户: Local Account

ServHelper has created a new user named "supportaccount".[1]
Enterprise T1573 .002 加密通道: Asymmetric Cryptography

ServHelper may set up a reverse SSH tunnel to give the attacker access to services running on the victim, such as RDP.[1]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

ServHelper may attempt to establish persistence via the HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ run key.[2]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

ServHelper has the ability to execute a PowerShell script to get information from the infected host.[3]
.003 命令与脚本解释器: Windows Command Shell

ServHelper can execute shell commands against cmd.[1][2]
Enterprise T1071 .001 应用层协议: Web Protocols

ServHelper uses HTTP for C2.[1]
Enterprise T1070 .004 移除指标: File Deletion

ServHelper has a module to delete itself from the infected machine.[1][2]
Enterprise T1218 .011 系统二进制代理执行: Rundll32

ServHelper contains a module for downloading and executing DLLs that leverages rundll32.exe.[2]
Enterprise T1082 系统信息发现

ServHelper will attempt to enumerate Windows version and system architecture.[1]
Enterprise T1033 系统所有者/用户发现

ServHelper will attempt to enumerate the username of the victim.[1]
Enterprise T1098 .007 账号操控: Additional Local or Domain Groups

ServHelper has added a user named "supportaccount" to the Remote Desktop Users and Administrators groups.[1]
Enterprise T1105 输入工具传输

ServHelper may download additional files to execute.[1][2]
Enterprise T1021 .001 远程服务: Remote Desktop Protocol

ServHelper has commands for adding a remote desktop user and sending RDP traffic to the attacker through a reverse SSH tunnel.[1]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

ServHelper contains modules that will use schtasks to carry out malicious operations.[1]

Groups That Use This Software

ID Name References
G0092 TA505

[1][4][2][3]

References

  1. Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019.
  2. Vilkomir-Preisman, S. (2019, April 2). New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload. Retrieved September 16, 2024..
  1. Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group’s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020.
  2. Salem, E. (2019, April 25). Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware. Retrieved May 28, 2019.