Skip to content

S0170 Helminth

Helminth is a backdoor that has at least two variants - one written in VBScript and PowerShell that is delivered via a macros in Excel spreadsheets, and one that is a standalone Windows executable. 1

Item Value
ID S0170
Associated Names
Type MALWARE
Version 1.1
Created 16 January 2018
Last Modified 28 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Helminth can use HTTP for C2.1
enterprise T1071.004 DNS Helminth can use DNS for C2.1
enterprise T1119 Automated Collection A Helminth VBScript receives a batch script to execute a set of commands in a command prompt.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Helminth establishes persistence by creating a shortcut in the Start Menu folder.1
enterprise T1547.009 Shortcut Modification Helminth establishes persistence by creating a shortcut.1
enterprise T1115 Clipboard Data The executable version of Helminth has a module to log clipboard contents.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell One version of Helminth uses a PowerShell script.1
enterprise T1059.003 Windows Command Shell Helminth can provide a remote shell. One version of Helminth uses batch scripting.1
enterprise T1059.005 Visual Basic One version of Helminth consists of VBScript scripts.1
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding For C2 over HTTP, Helminth encodes data with base64 and sends it via the “Cookie” field of HTTP requests. For C2 over DNS, Helminth converts ASCII characters into their hexadecimal values and sends the data in cleartext.1
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging Helminth creates folders to store output from batch scripts prior to sending the information to its C2 server.1
enterprise T1030 Data Transfer Size Limits Helminth splits data into chunks up to 23 bytes and sends the data in DNS queries to its C2 server.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography Helminth encrypts data sent to its C2 server over HTTP with RC4.1
enterprise T1105 Ingress Tool Transfer Helminth can download additional files.1
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging The executable version of Helminth has a module to log keystrokes.1
enterprise T1027 Obfuscated Files or Information The Helminth config file is encrypted with RC4.1
enterprise T1069 Permission Groups Discovery -
enterprise T1069.001 Local Groups Helminth has checked the local administrators group.2
enterprise T1069.002 Domain Groups Helminth has checked for the domain admin group and Exchange Trusted Subsystem groups using the commands net group Exchange Trusted Subsystem /domain and net group domain admins /domain.2
enterprise T1057 Process Discovery Helminth has used Tasklist to get information on processes.2
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task Helminth has used a scheduled task for persistence.3
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing Helminth samples have been signed with legitimate, compromised code signing certificates owned by software company AI Squared.3

Groups That Use This Software

ID Name References
G0049 OilRig 145

References