ServHelper (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.servhelper (Back to overview)

ServHelper

Actor(s): TA505

VTCollection URLhaus

ServHelper is written in Delphi and according to ProofPoint best classified as a backdoor.

ProofPoint noticed two distinct variant - "tunnel" and "downloader" (citation):
"The 'tunnel' variant has more features and focuses on setting up reverse SSH tunnels to allow the threat actor to access the infected host via Remote Desktop Protocol (RDP). Once ServHelper establishes remote desktop access, the malware contains functionality for the threat actor to 'hijack' legitimate user accounts or their web browser profiles and use them as they see fit. The 'downloader' variant is stripped of the tunneling and hijacking functionality and is used as a basic downloader."

References

2022-09-06 ⋅ PRODAFT ⋅ PRODAFT
TA505 Group’s TeslaGun In-Depth Analysis
Clop ServHelper

2022-09-05 ⋅ PRODAFT ⋅ PRODAFT
TA505 Group’s TeslaGun In-Depth Analysis
ServHelper

2021-09-03 ⋅ Trend Micro ⋅ Mohamad Mokbel
The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader

2021-08-12 ⋅ Cisco Talos ⋅ Vanja Svajcer
Signed MSI files, Raccoon and Amadey are used for installing ServHelper RAT
Amadey Raccoon ServHelper

2021-07-06 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt
TA505 adds GoLang crypter for delivering miners and ServHelper
ServHelper

2020-10-03 ⋅ Avira ⋅ Avira Protection Labs
TA505 targets the Americas in a new campaign
ServHelper

2020-08-20 ⋅ CERT-FR ⋅ CERT-FR
Development of the Activity of the TA505 Cybercriminal Group
AndroMut Bart Clop Dridex FlawedAmmyy FlawedGrace Get2 Locky Marap QuantLoader SDBbot ServHelper tRat TrickBot

2020-07-09 ⋅ Gdata ⋅ G DATA Security Lab
ServHelper: Hidden Miners
ServHelper

2020-06-22 ⋅ ⋅ CERT-FR ⋅ CERT-FR
Évolution De Lactivité du Groupe Cybercriminel TA505
Amadey AndroMut Bart Clop Dridex FlawedGrace Gandcrab Get2 GlobeImposter Jaff Locky Marap Philadephia Ransom QuantLoader Scarab Ransomware SDBbot ServHelper Silence tRat TrickBot

2020-05-22 ⋅ Positive Technologies ⋅ PT ESC Threat Intelligence
Operation TA505: investigating the ServHelper backdoor with NetSupport RAT. Part 2.
NetSupportManager RAT ServHelper

2020-05-21 ⋅ Intel 471 ⋅ Intel 471
A brief history of TA505
AndroMut Bart Dridex FlawedAmmyy FlawedGrace Gandcrab Get2 GlobeImposter Jaff Kegotip Locky Necurs Philadephia Ransom Pony QuantLoader Rockloader SDBbot ServHelper Shifu Snatch TrickBot

2020-02-13 ⋅ Qianxin ⋅ Qi Anxin Threat Intelligence Center
APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy

2020-01-09 ⋅ SonicWall ⋅ SonicWall
ServHelper 2.0: Enriched with bot capabilities and allow remote desktop access
ServHelper

2020-01-01 ⋅ Secureworks ⋅ SecureWorks
GOLD TAHOE
Clop FlawedAmmyy FlawedGrace Get2 SDBbot ServHelper TA505

2019-12-20 ⋅ Binary Defense ⋅ James Quinn
An Updated ServHelper Tunnel Variant
ServHelper

2019-12-17 ⋅ Blueliv ⋅ Adrián Ruiz, Blueliv Labs Team, Jose Miguel Esparza
TA505 evolves ServHelper, uses Predator The Thief and Team Viewer Hijacking
ServHelper TA505

2019-08-29 ⋅ ThreatRecon ⋅ ThreatRecon Team
SectorJ04 Group’s Increased Activity in 2019
FlawedAmmyy ServHelper TA505

2019-08-27 ⋅ Trend Micro ⋅ Hara Hiroaki, Jaromír Hořejší, Loseway Lu
TA505 At It Again: Variety is the Spice of ServHelper and FlawedAmmyy
FlawedAmmyy ServHelper

2019-04-25 ⋅ Cybereason ⋅ Cybereason Nocturnus
Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware
ServHelper TA505

2019-04-02 ⋅ DeepInstinct ⋅ Shaul Vilkomir-Preisman
New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload
ServHelper

2019-01-24 ⋅ 奇安信威胁情报中心 ⋅ 事件追踪
Excel 4.0 Macro Utilized by TA505 to Target Financial Institutions Recently
ServHelper

2019-01-09 ⋅ Proofpoint ⋅ Dennis Schwarz, Proofpoint Staff
ServHelper and FlawedGrace - New malware introduced by TA505
FlawedGrace ServHelper

2019-01-01 ⋅ CyberInt ⋅ CyberInt
Legit Remote Admin Tools Turn into Threat Actors' Tools
RMS ServHelper TA505

Yara Rules

[TLP:WHITE] win_servhelper_auto (20201014 | autogenerated rule brought to you by yara-signator)

rule win_servhelper_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.servhelper"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? b8???????? b9d9d60000 8b15???????? e8???????? }
            // n = 5, score = 200
            //   e8????????           |                     
            //   b8????????           |                     
            //   b9d9d60000           | mov                 ecx, 0xd6d9
            //   8b15????????         |                     
            //   e8????????           |                     

        $sequence_1 = { 807da101 750b 8d5324 8b4644 e8???????? 837b3000 7506 }
            // n = 7, score = 200
            //   807da101             | cmp                 byte ptr [ebp - 0x5f], 1
            //   750b                 | jne                 0xd
            //   8d5324               | lea                 edx, [ebx + 0x24]
            //   8b4644               | mov                 eax, dword ptr [esi + 0x44]
            //   e8????????           |                     
            //   837b3000             | cmp                 dword ptr [ebx + 0x30], 0
            //   7506                 | jne                 8

        $sequence_2 = { 8bf8 8bc7 e8???????? 85ff 75ec 8b4604 }
            // n = 6, score = 200
            //   8bf8                 | mov                 edi, eax
            //   8bc7                 | mov                 eax, edi
            //   e8????????           |                     
            //   85ff                 | test                edi, edi
            //   75ec                 | jne                 0xffffffee
            //   8b4604               | mov                 eax, dword ptr [esi + 4]

        $sequence_3 = { 84c0 7406 66b82200 eb04 }
            // n = 4, score = 200
            //   84c0                 | test                al, al
            //   7406                 | je                  8
            //   66b82200             | mov                 ax, 0x22
            //   eb04                 | jmp                 6

        $sequence_4 = { 8945dc 33c0 8945e0 8d45d4 8b4dfc ba???????? }
            // n = 6, score = 200
            //   8945dc               | mov                 dword ptr [ebp - 0x24], eax
            //   33c0                 | xor                 eax, eax
            //   8945e0               | mov                 dword ptr [ebp - 0x20], eax
            //   8d45d4               | lea                 eax, [ebp - 0x2c]
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   ba????????           |                     

        $sequence_5 = { 8bf0 e8???????? 3db7000000 750a }
            // n = 4, score = 200
            //   8bf0                 | mov                 esi, eax
            //   e8????????           |                     
            //   3db7000000           | cmp                 eax, 0xb7
            //   750a                 | jne                 0xc

        $sequence_6 = { 134900 4e 004600 4e 004100 4e 00ac08c07503b0 }
            // n = 7, score = 200
            //   134900               | adc                 ecx, dword ptr [ecx]
            //   4e                   | dec                 esi
            //   004600               | add                 byte ptr [esi], al
            //   4e                   | dec                 esi
            //   004100               | add                 byte ptr [ecx], al
            //   4e                   | dec                 esi
            //   00ac08c07503b0       | add                 byte ptr [eax + ecx - 0x4ffc8a40], ch

        $sequence_7 = { 1b55d4 52 50 8bc6 }
            // n = 4, score = 200
            //   1b55d4               | sbb                 edx, dword ptr [ebp - 0x2c]
            //   52                   | push                edx
            //   50                   | push                eax
            //   8bc6                 | mov                 eax, esi

        $sequence_8 = { 7700 69006e006800 7400 7400 7000 2e0064006c }
            // n = 6, score = 200
            //   7700                 | ja                  2
            //   69006e006800         | imul                eax, dword ptr [eax], 0x68006e
            //   7400                 | je                  2
            //   7400                 | je                  2
            //   7000                 | jo                  2
            //   2e0064006c           | add                 byte ptr cs:[eax + eax + 0x6c], ah

        $sequence_9 = { 8b58fc 48 8b09 e8???????? }
            // n = 4, score = 100
            //   8b58fc               | mov                 ebx, dword ptr [eax - 4]
            //   48                   | dec                 eax
            //   8b09                 | mov                 ecx, dword ptr [ecx]
            //   e8????????           |                     

        $sequence_10 = { 8b58fc 48 0fb74542 66894548 }
            // n = 4, score = 100
            //   8b58fc               | mov                 ebx, dword ptr [eax - 4]
            //   48                   | dec                 eax
            //   0fb74542             | movzx               eax, word ptr [ebp + 0x42]
            //   66894548             | mov                 word ptr [ebp + 0x48], ax

        $sequence_11 = { 8b58f8 48 8b4538 48 8d3418 48 }
            // n = 6, score = 100
            //   8b58f8               | mov                 ebx, dword ptr [eax - 8]
            //   48                   | dec                 eax
            //   8b4538               | mov                 eax, dword ptr [ebp + 0x38]
            //   48                   | dec                 eax
            //   8d3418               | lea                 esi, [eax + ebx]
            //   48                   | dec                 eax

        $sequence_12 = { 8b58fc 48 8b4520 48 }
            // n = 4, score = 100
            //   8b58fc               | mov                 ebx, dword ptr [eax - 4]
            //   48                   | dec                 eax
            //   8b4520               | mov                 eax, dword ptr [ebp + 0x20]
            //   48                   | dec                 eax

        $sequence_13 = { 8b58f8 48 8b4548 48 }
            // n = 4, score = 100
            //   8b58f8               | mov                 ebx, dword ptr [eax - 8]
            //   48                   | dec                 eax
            //   8b4548               | mov                 eax, dword ptr [ebp + 0x48]
            //   48                   | dec                 eax

        $sequence_14 = { 8b58fc 48 89d1 e8???????? }
            // n = 4, score = 100
            //   8b58fc               | mov                 ebx, dword ptr [eax - 4]
            //   48                   | dec                 eax
            //   89d1                 | mov                 ecx, edx
            //   e8????????           |                     

    condition:
        7 of them and filesize < 6717440
}

Download all Yara Rules

ServHelper Propose Change

References

Yara Rules

ServHelper