S0382 ServHelper
ServHelper is a backdoor first observed in late 2018. The backdoor is written in Delphi and is typically delivered as a DLL file.1
| Item | Value |
|---|---|
| ID | S0382 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.2 |
| Created | 29 May 2019 |
| Last Modified | 14 April 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1098 | Account Manipulation | ServHelper has added a user named “supportaccount” to the Remote Desktop Users and Administrators groups.1 |
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | ServHelper uses HTTP for C2.1 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | ServHelper may attempt to establish persistence via the HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ run key.3 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | ServHelper has the ability to execute a PowerShell script to get information from the infected host.2 |
| enterprise | T1059.003 | Windows Command Shell | ServHelper can execute shell commands against cmd.13 |
| enterprise | T1136 | Create Account | - |
| enterprise | T1136.001 | Local Account | ServHelper has created a new user named “supportaccount”.1 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.002 | Asymmetric Cryptography | ServHelper may set up a reverse SSH tunnel to give the attacker access to services running on the victim, such as RDP.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | ServHelper has a module to delete itself from the infected machine.13 |
| enterprise | T1105 | Ingress Tool Transfer | ServHelper may download additional files to execute.13 |
| enterprise | T1021 | Remote Services | - |
| enterprise | T1021.001 | Remote Desktop Protocol | ServHelper has commands for adding a remote desktop user and sending RDP traffic to the attacker through a reverse SSH tunnel.1 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | ServHelper contains modules that will use schtasks to carry out malicious operations.1 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.011 | Rundll32 | ServHelper contains a module for downloading and executing DLLs that leverages rundll32.exe.3 |
| enterprise | T1082 | System Information Discovery | ServHelper will attempt to enumerate Windows version and system architecture.1 |
| enterprise | T1033 | System Owner/User Discovery | ServHelper will attempt to enumerate the username of the victim.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0092 | TA505 | 1432 |
References
-
Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019. ↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group’s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020. ↩↩
-
Vilkomir-Preisman, S. (2019, April 2). New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload. Retrieved May 28, 2019. ↩↩↩↩↩↩
-
Salem, E. (2019, April 25). Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware. Retrieved May 28, 2019. ↩