Skip to content

S0382 ServHelper

ServHelper is a backdoor first observed in late 2018. The backdoor is written in Delphi and is typically delivered as a DLL file.1

Item Value
ID S0382
Associated Names
Version 1.2
Created 29 May 2019
Last Modified 14 April 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1098 Account Manipulation ServHelper has added a user named “supportaccount” to the Remote Desktop Users and Administrators groups.1
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols ServHelper uses HTTP for C2.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder ServHelper may attempt to establish persistence via the HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ run key.3
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell ServHelper has the ability to execute a PowerShell script to get information from the infected host.2
enterprise T1059.003 Windows Command Shell ServHelper can execute shell commands against cmd.13
enterprise T1136 Create Account -
enterprise T1136.001 Local Account ServHelper has created a new user named “supportaccount”.1
enterprise T1573 Encrypted Channel -
enterprise T1573.002 Asymmetric Cryptography ServHelper may set up a reverse SSH tunnel to give the attacker access to services running on the victim, such as RDP.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion ServHelper has a module to delete itself from the infected machine.13
enterprise T1105 Ingress Tool Transfer ServHelper may download additional files to execute.13
enterprise T1021 Remote Services -
enterprise T1021.001 Remote Desktop Protocol ServHelper has commands for adding a remote desktop user and sending RDP traffic to the attacker through a reverse SSH tunnel.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task ServHelper contains modules that will use schtasks to carry out malicious operations.1
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.011 Rundll32 ServHelper contains a module for downloading and executing DLLs that leverages rundll32.exe.3
enterprise T1082 System Information Discovery ServHelper will attempt to enumerate Windows version and system architecture.1
enterprise T1033 System Owner/User Discovery ServHelper will attempt to enumerate the username of the victim.1

Groups That Use This Software

ID Name References
G0092 TA505 1432