Openhunting Threat Library

ServHelper

ServHelper
(Type: Backdoor, Credential stealer, Downloader)

ServHelper is written in Delphi and according to ProofPoint best classified as a backdoor. ProofPoint noticed two distinct variant - 'tunnel' and 'downloader' (citation): 'The 'tunnel' variant has more features and focuses on setting up reverse SSH tunnels to allow the threat actor to access the infected host via Remote Desktop Protocol (RDP). Once ServHelper establishes remote desktop access, the malware contains functionality for the threat actor to 'hijack' legitimate user accounts or their web browser profiles and use them as they see fit. The 'downloader' variant is stripped of the tunneling and hijacking functionality and is used as a basic downloader.'

[News Analysis] Trends:

Total Trend: 23

Trend Per Year
9
2019
9
2020
3
2021
2
2022


Trend Per Month
1
2019
2
Jan 2019
2
Apr 2019
2
Aug 2019
2
Dec 2019
1
2020
1
Jan 2020
1
Feb 2020
2
May 2020
1
Jun 2020
1
Jul 2020
1
Aug 2020
1
Oct 2020
1
Jul 2021
1
Aug 2021
1
Sep 2021
2
Sep 2022



[News Analysis] News Mention Another Threat Name:

21 - Clop95 - ServHelper30 - AdWind30 - ostap30 - AsyncRAT30 - BazarBackdoor30 - BitRAT30 - Buer30 - Chthonic30 - CloudEyE76 - Cobalt Strike30 - DCRat52 - Dridex30 - FindPOS30 - GootKit30 - Gozi30 - IcedID30 - ISFB30 - Nanocore RAT30 - Orcus RAT30 - PandaBanker30 - Qadars30 - QakBot30 - Quasar RAT46 - Rockloader46 - Shifu30 - SManager30 - TorrentLocker91 - TrickBot30 - Vawtrak30 - Zeus30 - Zloader20 - Amadey2 - Raccoon66 - AndroMut26 - Bart64 - FlawedAmmyy67 - FlawedGrace67 - Get226 - Locky20 - Marap26 - QuantLoader67 - SDBbot61 - tRat26 - Gandcrab26 - GlobeImposter26 - Jaff26 - Philadephia Ransom19 - Scarab Ransomware19 - Silence1 - NetSupportManager RAT20 - Kegotip20 - Necurs20 - Pony61 - Snatch48 - Chrysaor48 - Exodus48 - Dacls48 - VPNFilter48 - DNSRat48 - Griffon48 - KopiLuwak48 - More_eggs48 - SQLRat48 - AppleJeus48 - BONDUPDATER48 - Agent.BTZ48 - Anchor48 - BOOSTWRITE48 - Brambul48 - Carbanak48 - DistTrack48 - DNSpionage48 - Dtrack48 - ELECTRICFISH48 - Grateful POS48 - HOPLIGHT48 - Imminent Monitor RAT48 - jason48 - Joanap48 - KerrDown48 - KEYMARBLE48 - Lambert48 - LightNeuron48 - LoJax48 - MiniDuke48 - PolyglotDuke48 - PowerRatankba48 - Rising Sun48 - Stuxnet48 - TinyMet48 - Volgmer48 - X-Agent48 - Zebrocy7 - TA5052 - RMS


[TTP Analysis] Technique Performance:

reconnaissance
0/43
resource development
0/45
initial access
0/19
execution
3/36
persistence
4/113
privilege escalation
2/96
defense evasion
2/184
credential access
0/63
discovery
2/44
lateral movement
1/22
collection
0/37
command and control
3/39
exfiltration
0/18
impact
0/26


[TTP Analysis] Mitre Attack Matrix:

TA0043 TA0042 TA0001 TA0002 TA0003 TA0004 TA0005 TA0006 TA0007 TA0008 TA0009 TA0011 TA0010 TA0040
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
T1059.001
Command And Scripting Interpreter : Powershell
T1059.003
Command And Scripting Interpreter : Windows Command Shell
T1053.005
Scheduled Task/job : Scheduled Task
T1098
Account Manipulation
T1547.001
Boot Or Logon Autostart Execution : Registry Run Keys / Startup Folder
T1136.001
Create Account : Local Account
T1053.005
Scheduled Task/job : Scheduled Task
T1547.001
Boot Or Logon Autostart Execution : Registry Run Keys / Startup Folder
T1053.005
Scheduled Task/job : Scheduled Task
T1070.004
Indicator Removal : File Deletion
T1218.011
System Binary Proxy Execution : Rundll32
T1082
System Information Discovery
T1033
System Owner/user Discovery
T1021.001
Remote Services : Remote Desktop Protocol
T1071.001
Application Layer Protocol : Web Protocols
T1573.002
Encrypted Channel : Asymmetric Cryptography
T1105
Ingress Tool Transfer


[Infrastructure Analysis] Based on Related IOC:

IP:Port Timestamp
185.163.45.248:4432021-09-29
194.180.174.56:4432021-08-14
194.180.174.20:4432021-08-11
185.163.47.254:4432021-07-19
185.163.45.90:4432021-07-16
185.163.47.171:4432021-07-13
185.163.45.87:4432021-06-28
103.113.159.7:4432021-05-23
140.82.57.172:4432021-04-03
45.77.122.108:4432021-03-31
Domain Timestamp
sbbsats5d5asdv3.xyz2021-12-12
z7gzv6sw6ui9.xyz2021-12-12
nacuasujciiwi3.xyz2021-12-06
hsuahiysautcr.xyz2021-11-26
kasisausnasaysar.xyz2021-12-18
asdyyauscuauusc.xyz2021-12-06
osdnvnauurt.xyz2021-10-31
aosdnvnauurt.xyz2021-10-27
zdov9v88e83jfa.xyz2021-10-31
saudjyyvv663.xyz2021-09-29
URL Timestamp


[Target Analysis] Region/Sector:

No information


References:

News Basic Information Indicator of Compromise Mitre Attack

News Article (Credit @Malpedia)

TA505 Group’s TeslaGun In-Depth Analysis

2022-09-06 by PRODAFT from PRODAFT

TA505 Group’s TeslaGun In-Depth Analysis

2022-09-05 by PRODAFT from PRODAFT

The State of SSL/TLS Certificate Usage in Malware C&C Communications

2021-09-03 by Mohamad Mokbel from Trend Micro

Signed MSI files, Raccoon and Amadey are used for installing ServHelper RAT

2021-08-12 by Vanja Svajcer from Cisco Talos

TA505 adds GoLang crypter for delivering miners and ServHelper

2021-07-06 by Jason Reaves from Medium walmartglobaltech

TA505 targets the Americas in a new campaign

2020-10-03 by Avira Protection Labs from Avira

Development of the Activity of the TA505 Cybercriminal Group

2020-08-20 by CERT-FR from CERT-FR

ServHelper: Hidden Miners

2020-07-09 by G DATA Security Lab from Gdata

Évolution De Lactivité du Groupe Cybercriminel TA505

2020-06-22 by CERT-FR from CERT-FR

Operation TA505: investigating the ServHelper backdoor with NetSupport RAT. Part 2.

2020-05-22 by PT ESC Threat Intelligence from Positive Technologies

A brief history of TA505

2020-05-21 by Intel 471 from Intel 471

APT Report 2019

2020-02-13 by Qi Anxin Threat Intelligence Center from Qianxin

ServHelper 2.0: Enriched with bot capabilities and allow remote desktop access

2020-01-09 by SonicWall from SonicWall

GOLD TAHOE

2020 by SecureWorks from Secureworks

An Updated ServHelper Tunnel Variant

2019-12-20 by James Quinn from Binary Defense

TA505 evolves ServHelper, uses Predator The Thief and Team Viewer Hijacking

2019-12-17 by Adrián Ruiz from Blueliv

SectorJ04 Group’s Increased Activity in 2019

2019-08-29 by ThreatRecon Team from ThreatRecon

TA505 At It Again: Variety is the Spice of ServHelper and FlawedAmmyy

2019-08-27 by Hara Hiroaki from Trend Micro

Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware

2019-04-25 by Cybereason Nocturnus from Cybereason

New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload

2019-04-02 by Shaul Vilkomir-Preisman from DeepInstinct

Excel 4.0 Macro Utilized by TA505 to Target Financial Institutions Recently

2019-01-24 by 事件追踪 from 奇安信威胁情报中心

ServHelper and FlawedGrace - New malware introduced by TA505

2019-01-09 by Dennis Schwarz from Proofpoint

Legit Remote Admin Tools Turn into Threat Actors' Tools

2019 by CyberInt from CyberInt

Basic Information (Credit @etda.or.th)

Tool: ServHelper

Names: ServHelper

Description: ServHelper is written in Delphi and according to ProofPoint best classified as a backdoor. ProofPoint noticed two distinct variant - 'tunnel' and 'downloader' (citation): 'The 'tunnel' variant has more features and focuses on setting up reverse SSH tunnels to allow the threat actor to access the infected host via Remote Desktop Protocol (RDP). Once ServHelper establishes remote desktop access, the malware contains functionality for the threat actor to 'hijack' legitimate user accounts or their web browser profiles and use them as they see fit. The 'downloader' variant is stripped of the tunneling and hijacking functionality and is used as a basic downloader.'

Category: Malware

Type: Backdoor, Credential stealer, Downloader

Information: https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505

Information: https://e.cyberint.com/hubfs/Report%20Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%20Tools/CyberInt_Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors'%20Tools_Report.pdf

Information: https://www.deepinstinct.com/2019/04/02/new-servhelper-variant-employs-excel-4-0-macro-to-drop-signed-payload/

Information: https://ti.360.net/blog/articles/excel-4.0-macro-utilized-by-ta505-to-target-financial-institutions-recently-en/

Information: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware

Mitre-attack: https://attack.mitre.org/software/S0382/

Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.servhelper

Last-card-change: 2020-05-14

Source: https://apt.etda.or.th/cgi-bin/listtools.cgi

Indicators of Compromise (Credit @ThreatFox)

DOMAIN
  • sbbsats5d5asdv3.xyz
  • z7gzv6sw6ui9.xyz
  • nacuasujciiwi3.xyz
  • hsuahiysautcr.xyz
  • kasisausnasaysar.xyz
  • asdyyauscuauusc.xyz
  • osdnvnauurt.xyz
  • aosdnvnauurt.xyz
  • zdov9v88e83jfa.xyz
  • saudjyyvv663.xyz
  • iasfugibz9x.xyz
  • zuvujvhuaif.xyz
  • whereihjeu3.xyz
  • hitnaiguat.xyz
  • sadiviai9d9asd.xyz
  • potuybze.xyz
  • asdidjvjvaias.xyz
  • afggaiir3a.xyz
  • afspfigjeb.cn
  • soajfvhv235ua.xyz
  • afditnzurh.xyz
  • kbpsorjbus6.pw
  • pgf5ga4g4b.cn
  • enroter1984.cn
  • neboley.cn
  • asdjausg.cn
  • afsifufufgg42.cn
  • afsibibia3.xyz
  • jfiisnvvz.xyz
  • igibhbyehvyga.xyz
  • jfuag3.cn
  • novacation.cn
  • wheredoyougo.cn
  • syvgevyhz.cn
SHA256_HASH
  • 65f47cd450bd96cba40e838cb0355638a1d43b3ac51d3d6e97a469d5425a7874
  • 5c48fce985e7b875be1a88334fa98f4db5611117bd39959e2e5980f0b3e8094d
  • 0ee089365adfe14f05cf599a6f74aecba426ad0270eb3ddff135c99b1c5c0a48
  • 7a521b89bee36ec9231a5cdff5b79132335843fb10be72c1b1426ef4c3935e4a
  • 8082bfe8a9f63854d6317cf6ddc0c18c54140ee5d179a96bfe9900c90d994518
  • 84c41dc018689fcb2fc4240f1e0267a5ee82232e3bcd541f5f5bed4139cfcd55
  • d74b6c6a24a192266f78de7209ac83d43add79818bf28d367b51813465dac6db
  • dcbce5bc929785a63efb6d9180a479c33fcf882e39b4d0f0b581713b193f38cf
  • 53882829be84aba37e9a3e3367301b7800ba1aac3007af62d6620fcc170f4f7b
  • 3342d9e46d1b50083fa7da9e8f72d578b10e0cced3dca29b2e5bf9dc219349da
  • be5543ea72f61dd230233cc9a875bd2b0e1dd68d9addc8d12bbb09dd97730ff4
  • 10675ecac736bf3fa5175330ef22d3f1e252a698072c58cba3de0a208e751fb2
  • 177d6aab26c15ecf87f29f92ad0eaff355d195de1c0ef17d9cb9b7483c288934
  • 6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2
  • f519d4517271e01ea6807890fcbc1573e64844b6a8105aa7c3462ea65bb3c7fe
  • a45ce871e292ee5d5effccb273909abb62773ad8cb308f90726e8820ecca76d6
  • e5f0bc80d04cac1456c2b4c572d352efd5b6717a262141508fe6919c8e3bb5a3
  • 42d3aa6d8f6d7c2f4ed5c4a0d0b3b160bbcf1964d82c0f095026f7c75e110c14
  • 555f654fb51e632ba2cf49b865b6de5f5772ffba0229d73021a1c6a6f65dab08
  • f25560518e8bebbc0abdde4c0241833e432ad4c56f934bb18067c1abf7305959
  • 10d971c860d4f8ad93b86f47fbc0cd285897769dd60bb68dea4377bb6e7d6f1f
  • 2c563c0ca6aadef9b039b1e542329bec04c9915f433e6b27026cf08db52aceb6
  • 08a75beea96e15a6bc2e838cf0649ef0e3be100b819d4513b816778f18903c12
  • 1409acb6dd320620a038e8571fa1bfdbbdc659f240a5a17d1db2c8af530ae548
IP:PORT
  • 185.163.45.248:443
  • 194.180.174.56:443
  • 194.180.174.20:443
  • 185.163.47.254:443
  • 185.163.45.90:443
  • 185.163.47.171:443
  • 185.163.45.87:443
  • 103.113.159.7:443
  • 140.82.57.172:443
  • 45.77.122.108:443
  • 5.181.156.79:443
  • 185.225.19.253:443
  • 5.181.156.250:443

TTP Info (Credit @Mitre)

TA0043 TA0042 TA0001 TA0002 TA0003 TA0004 TA0005 TA0006 TA0007 TA0008 TA0009 TA0011 TA0010 TA0040
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
T1059.001
COMMAND AND SCRIPTING INTERPRETER : POWERSHELL
servhelper has the ability to execute a powershell script to get information from the infected host.
T1059.003
COMMAND AND SCRIPTING INTERPRETER : WINDOWS COMMAND SHELL
servhelper can execute shell commands against cmd.
T1053.005
SCHEDULED TASK/JOB : SCHEDULED TASK
servhelper contains modules that will use schtasks to carry out malicious operations.
T1098
ACCOUNT MANIPULATION
servhelper has added a user named "supportaccount" to the remote desktop users and administrators groups.
T1547.001
BOOT OR LOGON AUTOSTART EXECUTION : REGISTRY RUN KEYS / STARTUP FOLDER
servhelper may attempt to establish persistence via the hkcu\software\microsoft\windows\currentversion\run\ run key.
T1136.001
CREATE ACCOUNT : LOCAL ACCOUNT
servhelper has created a new user named "supportaccount".
T1053.005
SCHEDULED TASK/JOB : SCHEDULED TASK
servhelper contains modules that will use schtasks to carry out malicious operations.
T1547.001
BOOT OR LOGON AUTOSTART EXECUTION : REGISTRY RUN KEYS / STARTUP FOLDER
servhelper may attempt to establish persistence via the hkcu\software\microsoft\windows\currentversion\run\ run key.
T1053.005
SCHEDULED TASK/JOB : SCHEDULED TASK
servhelper contains modules that will use schtasks to carry out malicious operations.
T1070.004
INDICATOR REMOVAL : FILE DELETION
servhelper has a module to delete itself from the infected machine.
T1218.011
SYSTEM BINARY PROXY EXECUTION : RUNDLL32
servhelper contains a module for downloading and executing dlls that leverages rundll32.exe.
T1082
SYSTEM INFORMATION DISCOVERY
servhelper will attempt to enumerate windows version and system architecture.
T1033
SYSTEM OWNER/USER DISCOVERY
servhelper will attempt to enumerate the username of the victim.
T1021.001
REMOTE SERVICES : REMOTE DESKTOP PROTOCOL
servhelper has commands for adding a remote desktop user and sending rdp traffic to the attacker through a reverse ssh tunnel.
T1071.001
APPLICATION LAYER PROTOCOL : WEB PROTOCOLS
servhelper uses http for c2.
T1573.002
ENCRYPTED CHANNEL : ASYMMETRIC CRYPTOGRAPHY
servhelper may set up a reverse ssh tunnel to give the attacker access to services running on the victim, such as rdp.
T1105
INGRESS TOOL TRANSFER
servhelper may download additional files to execute.