Open Hunting - Threat Library

Openhunting Threat Library

Helminth

(Type: Backdoor)

Helminth is a backdoor that has at least two variants - one written in VBScript and PowerShell that is delivered via a macros in Excel spreadsheets, and one that is a standalone Windows executable.

[News Analysis] Trends:

Total Trend: 7

Trend Per Year

2016

2017

2019

2020

Trend Per Month

May 2016

Oct 2016

Apr 2017

Apr 2019

Aug 2019

2020

[News Analysis] News Mention Another Threat Name:

[TTP Analysis] Technique Performance:

reconnaissance

0/43

resource development

0/45

initial access

0/19

execution

4/36

persistence

3/113

privilege escalation

3/96

defense evasion

2/184

credential access

1/63

discovery

3/44

lateral movement

0/22

collection

4/37

command and control

5/39

exfiltration

1/18

impact

0/26

[TTP Analysis] Mitre Attack Matrix:

TA0043	TA0042	TA0001	TA0002	TA0003	TA0004	TA0005	TA0006	TA0007	TA0008	TA0009	TA0011	TA0010	TA0040
Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
			T1059.001 Command And Scripting Interpreter : Powershell T1059.003 Command And Scripting Interpreter : Windows Command Shell T1059.005 Command And Scripting Interpreter : Visual Basic T1053.005 Scheduled Task/job : Scheduled Task	T1547.001 Boot Or Logon Autostart Execution : Registry Run Keys / Startup Folder T1547.009 Boot Or Logon Autostart Execution : Shortcut Modification T1053.005 Scheduled Task/job : Scheduled Task	T1547.001 Boot Or Logon Autostart Execution : Registry Run Keys / Startup Folder T1547.009 Boot Or Logon Autostart Execution : Shortcut Modification T1053.005 Scheduled Task/job : Scheduled Task	T1027 Obfuscated Files Or Information T1553.002 Subvert Trust Controls : Code Signing	T1056.001 Input Capture : Keylogging	T1069.001 Permission Groups Discovery : Local Groups T1069.002 Permission Groups Discovery : Domain Groups T1057 Process Discovery		T1119 Automated Collection T1115 Clipboard Data T1074.001 Data Staged : Local Data Staging T1056.001 Input Capture : Keylogging	T1071.001 Application Layer Protocol : Web Protocols T1071.004 Application Layer Protocol : Dns T1132.001 Data Encoding : Standard Encoding T1573.001 Encrypted Channel : Symmetric Cryptography T1105 Ingress Tool Transfer	T1030 Data Transfer Size Limits

[Infrastructure Analysis] Based on Related IOC:

IP:Port	Timestamp

Domain	Timestamp

URL	Timestamp

[Target Analysis] Region/Sector:

No information

References:

News Basic Information Indicator of Compromise Mitre Attack

News Article (Credit @Malpedia)

COBALT GYPSY

2020 by SecureWorks from Secureworks

APT34: The Helix Kitten Cybercriminal Group Loves to Meow Middle Eastern and International Organizations

2019-08-22 by Cyware from Cyware

DNS Tunneling in the Wild: Overview of OilRig’s DNS Tunneling

2019-04-16 by Robert Falcone from

Iranian Fileless Attack Infiltrates Israeli Organizations

2017-04-27 by Michael Gorelik from Morphisec

OilRig Malware Campaign Updates Toolset and Expands Targets

2016-10-04 by Josh Grunzweig from Palo Alto Networks Unit 42

The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor

2016-05-26 by Robert Falcone from Palo Alto Networks Unit 42

Targeted Attacks against Banks in the Middle East

2016-05-22 by Sudeep Singh from FireEye

Basic Information (Credit @etda.or.th)

Tool: Helminth

Names: Helminth

Description: Helminth is a backdoor that has at least two variants - one written in VBScript and PowerShell that is delivered via a macros in Excel spreadsheets, and one that is a standalone Windows executable.

Category: Malware

Type: Backdoor

Information: https://unit42.paloaltonetworks.com/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/

Information: https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html

Information: https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/

Information: http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/

Mitre-attack: https://attack.mitre.org/software/S0170/

Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.helminth

Alienvault-otx: https://otx.alienvault.com/browse/pulses?q=tag:Helminth

Last-card-change: 2020-05-13

Source: https://apt.etda.or.th/cgi-bin/listtools.cgi

TTP Info (Credit @Mitre)

TA0043	TA0042	TA0001	TA0002	TA0003	TA0004	TA0005	TA0006	TA0007	TA0008	TA0009	TA0011	TA0010	TA0040
Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
			T1059.001 COMMAND AND SCRIPTING INTERPRETER : POWERSHELL one version of helminth uses a powershell script. T1059.003 COMMAND AND SCRIPTING INTERPRETER : WINDOWS COMMAND SHELL helminth can provide a remote shell. one version of helminth uses batch scripting. T1059.005 COMMAND AND SCRIPTING INTERPRETER : VISUAL BASIC one version of helminth consists of vbscript scripts. T1053.005 SCHEDULED TASK/JOB : SCHEDULED TASK helminth has used a scheduled task for persistence.	T1547.001 BOOT OR LOGON AUTOSTART EXECUTION : REGISTRY RUN KEYS / STARTUP FOLDER helminth establishes persistence by creating a shortcut in the start menu folder. T1547.009 BOOT OR LOGON AUTOSTART EXECUTION : SHORTCUT MODIFICATION helminth establishes persistence by creating a shortcut. T1053.005 SCHEDULED TASK/JOB : SCHEDULED TASK helminth has used a scheduled task for persistence.	T1547.001 BOOT OR LOGON AUTOSTART EXECUTION : REGISTRY RUN KEYS / STARTUP FOLDER helminth establishes persistence by creating a shortcut in the start menu folder. T1547.009 BOOT OR LOGON AUTOSTART EXECUTION : SHORTCUT MODIFICATION helminth establishes persistence by creating a shortcut. T1053.005 SCHEDULED TASK/JOB : SCHEDULED TASK helminth has used a scheduled task for persistence.	T1027 OBFUSCATED FILES OR INFORMATION the helminth config file is encrypted with rc4. T1553.002 SUBVERT TRUST CONTROLS : CODE SIGNING helminth samples have been signed with legitimate, compromised code signing certificates owned by software company ai squared.	T1056.001 INPUT CAPTURE : KEYLOGGING the executable version of helminth has a module to log keystrokes.	T1069.001 PERMISSION GROUPS DISCOVERY : LOCAL GROUPS helminth has checked the local administrators group. T1069.002 PERMISSION GROUPS DISCOVERY : DOMAIN GROUPS helminth has checked for the domain admin group and exchange trusted subsystem groups using the commands net group exchange trusted subsystem /domain and net group domain admins /domain. T1057 PROCESS DISCOVERY helminth has used tasklist to get information on processes.		T1119 AUTOMATED COLLECTION a helminth vbscript receives a batch script to execute a set of commands in a command prompt. T1115 CLIPBOARD DATA the executable version of helminth has a module to log clipboard contents. T1074.001 DATA STAGED : LOCAL DATA STAGING helminth creates folders to store output from batch scripts prior to sending the information to its c2 server. T1056.001 INPUT CAPTURE : KEYLOGGING the executable version of helminth has a module to log keystrokes.	T1071.001 APPLICATION LAYER PROTOCOL : WEB PROTOCOLS helminth can use http for c2. T1071.004 APPLICATION LAYER PROTOCOL : DNS helminth can use dns for c2. T1132.001 DATA ENCODING : STANDARD ENCODING for c2 over http, helminth encodes data with base64 and sends it via the "cookie" field of http requests. for c2 over dns, helminth converts ascii characters into their hexadecimal values and sends the data in cleartext. T1573.001 ENCRYPTED CHANNEL : SYMMETRIC CRYPTOGRAPHY helminth encrypts data sent to its c2 server over http with rc4. T1105 INGRESS TOOL TRANSFER helminth can download additional files.	T1030 DATA TRANSFER SIZE LIMITS helminth splits data into chunks up to 23 bytes and sends the data in dns queries to its c2 server.