SYMBOLCOMMON_NAMEaka. SYNONYMS
win.servhelper (Back to overview)

ServHelper

Actor(s): TA505

URLhaus    

ServHelper is written in Delphi and according to ProofPoint best classified as a backdoor.

ProofPoint noticed two distinct variant - "tunnel" and "downloader" (citation):
"The 'tunnel' variant has more features and focuses on setting up reverse SSH tunnels to allow the threat actor to access the infected host via Remote Desktop Protocol (RDP). Once ServHelper establishes remote desktop access, the malware contains functionality for the threat actor to 'hijack' legitimate user accounts or their web browser profiles and use them as they see fit. The 'downloader' variant is stripped of the tunneling and hijacking functionality and is used as a basic downloader."

References
2020-06-22CERT-FRCERT-FR
@techreport{certfr:20200622:volution:fba1cfa, author = {CERT-FR}, title = {{Évolution De Lactivité du Groupe Cybercriminel TA505}}, date = {2020-06-22}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf}, language = {French}, urldate = {2020-06-24} } Évolution De Lactivité du Groupe Cybercriminel TA505
Amadey AndroMut Bart Clop Dridex FlawedGrace Gandcrab Get2 GlobeImposter Jaff Locky Marap Philadephia Ransom QuantLoader Scarab Ransomware SDBbot ServHelper Silence tRat TrickBot
2020-05-21Intel 471Intel 471
@online{471:20200521:brief:048d164, author = {Intel 471}, title = {{A brief history of TA505}}, date = {2020-05-21}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/}, language = {English}, urldate = {2020-05-23} } A brief history of TA505
AndroMut Bart Dridex FlawedAmmyy FlawedGrace Gandcrab Get2 GlobeImposter Jaff Kegotip Locky Necurs Philadephia Ransom Pony QuantLoader Rockloader SDBbot ServHelper Shifu Snatch TrickBot
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020SecureworksSecureWorks
@online{secureworks:2020:gold:f38f910, author = {SecureWorks}, title = {{GOLD TAHOE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-tahoe}, language = {English}, urldate = {2020-05-23} } GOLD TAHOE
Clop FlawedAmmyy FlawedGrace Get2 SDBbot ServHelper TA505
2019-12-20Binary DefenseJames Quinn
@online{quinn:20191220:updated:2408ee7, author = {James Quinn}, title = {{An Updated ServHelper Tunnel Variant}}, date = {2019-12-20}, organization = {Binary Defense}, url = {https://www.binarydefense.com/an-updated-servhelper-tunnel-variant/}, language = {English}, urldate = {2020-01-13} } An Updated ServHelper Tunnel Variant
ServHelper
2019-12-17BluelivAdrián Ruiz, Jose Miguel Esparza, Blueliv Labs Team
@online{ruiz:20191217:ta505:1c1204e, author = {Adrián Ruiz and Jose Miguel Esparza and Blueliv Labs Team}, title = {{TA505 evolves ServHelper, uses Predator The Thief and Team Viewer Hijacking}}, date = {2019-12-17}, organization = {Blueliv}, url = {https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/servhelper-evolution-and-new-ta505-campaigns/}, language = {English}, urldate = {2020-01-09} } TA505 evolves ServHelper, uses Predator The Thief and Team Viewer Hijacking
ServHelper TA505
2019-08-29ThreatReconThreatRecon Team
@online{team:20190829:sectorj04:ce6cc4b, author = {ThreatRecon Team}, title = {{SectorJ04 Group’s Increased Activity in 2019}}, date = {2019-08-29}, organization = {ThreatRecon}, url = {https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/}, language = {English}, urldate = {2019-10-13} } SectorJ04 Group’s Increased Activity in 2019
FlawedAmmyy ServHelper TA505
2019-08-27Trend MicroHara Hiroaki, Jaromír Hořejší, Loseway Lu
@online{hiroaki:20190827:ta505:9bcbff1, author = {Hara Hiroaki and Jaromír Hořejší and Loseway Lu}, title = {{TA505 At It Again: Variety is the Spice of ServHelper and FlawedAmmyy}}, date = {2019-08-27}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy/}, language = {English}, urldate = {2019-11-27} } TA505 At It Again: Variety is the Spice of ServHelper and FlawedAmmyy
FlawedAmmyy ServHelper
2019-04-25CybereasonCybereason Nocturnus
@online{nocturnus:20190425:threat:63e7d51, author = {Cybereason Nocturnus}, title = {{Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware}}, date = {2019-04-25}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware}, language = {English}, urldate = {2020-01-08} } Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware
ServHelper TA505
2019-04-02DeepInstinctShaul Vilkomir-Preisman
@online{vilkomirpreisman:20190402:new:4dbdc56, author = {Shaul Vilkomir-Preisman}, title = {{New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload}}, date = {2019-04-02}, organization = {DeepInstinct}, url = {https://www.deepinstinct.com/2019/04/02/new-servhelper-variant-employs-excel-4-0-macro-to-drop-signed-payload/}, language = {English}, urldate = {2019-07-11} } New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload
ServHelper
2019-01-24奇安信威胁情报中心事件追踪
@online{:20190124:excel:2dd401c, author = {事件追踪}, title = {{Excel 4.0 Macro Utilized by TA505 to Target Financial Institutions Recently}}, date = {2019-01-24}, organization = {奇安信威胁情报中心}, url = {https://ti.360.net/blog/articles/excel-4.0-macro-utilized-by-ta505-to-target-financial-institutions-recently-en/}, language = {English}, urldate = {2019-12-02} } Excel 4.0 Macro Utilized by TA505 to Target Financial Institutions Recently
ServHelper
2019-01-09ProofpointDennis Schwarz, Proofpoint Staff
@online{schwarz:20190109:servhelper:e20586c, author = {Dennis Schwarz and Proofpoint Staff}, title = {{ServHelper and FlawedGrace - New malware introduced by TA505}}, date = {2019-01-09}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505}, language = {English}, urldate = {2019-12-20} } ServHelper and FlawedGrace - New malware introduced by TA505
FlawedGrace ServHelper
2019CyberIntCyberInt
@techreport{cyberint:2019:legit:9925ea3, author = {CyberInt}, title = {{Legit Remote Admin Tools Turn into Threat Actors' Tools}}, date = {2019}, institution = {CyberInt}, url = {https://e.cyberint.com/hubfs/Report%20Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%20Tools/CyberInt_Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors'%20Tools_Report.pdf}, language = {English}, urldate = {2019-12-19} } Legit Remote Admin Tools Turn into Threat Actors' Tools
RMS ServHelper TA505
Yara Rules
[TLP:WHITE] win_servhelper_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_servhelper_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.servhelper"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7400 7400 7000 2e0064006c }
            // n = 4, score = 300
            //   7400                 | je                  2
            //   7400                 | je                  2
            //   7000                 | jo                  2
            //   2e0064006c           | add                 byte ptr cs:[eax + eax + 0x6c], ah

        $sequence_1 = { 84c0 7406 66b82200 eb04 }
            // n = 4, score = 300
            //   84c0                 | test                al, al
            //   7406                 | je                  8
            //   66b82200             | mov                 ax, 0x22
            //   eb04                 | jmp                 6

        $sequence_2 = { 7700 69006e006800 7400 7400 }
            // n = 4, score = 300
            //   7700                 | ja                  2
            //   69006e006800         | imul                eax, dword ptr [eax], 0x68006e
            //   7400                 | je                  2
            //   7400                 | je                  2

        $sequence_3 = { 0f85b2010000 e9???????? 83e913 85c9 0f844d010000 83e901 85c9 }
            // n = 7, score = 200
            //   0f85b2010000         | jne                 0x1b8
            //   e9????????           |                     
            //   83e913               | sub                 ecx, 0x13
            //   85c9                 | test                ecx, ecx
            //   0f844d010000         | je                  0x153
            //   83e901               | sub                 ecx, 1
            //   85c9                 | test                ecx, ecx

        $sequence_4 = { 8b45b0 8945bc c645c011 8d45b4 }
            // n = 4, score = 200
            //   8b45b0               | mov                 eax, dword ptr [ebp - 0x50]
            //   8945bc               | mov                 dword ptr [ebp - 0x44], eax
            //   c645c011             | mov                 byte ptr [ebp - 0x40], 0x11
            //   8d45b4               | lea                 eax, [ebp - 0x4c]

        $sequence_5 = { 8b442420 89442410 8b442424 89442414 8b442418 8bf8 }
            // n = 6, score = 200
            //   8b442420             | mov                 eax, dword ptr [esp + 0x20]
            //   89442410             | mov                 dword ptr [esp + 0x10], eax
            //   8b442424             | mov                 eax, dword ptr [esp + 0x24]
            //   89442414             | mov                 dword ptr [esp + 0x14], eax
            //   8b442418             | mov                 eax, dword ptr [esp + 0x18]
            //   8bf8                 | mov                 edi, eax

        $sequence_6 = { 83eb01 85db 75b4 90 }
            // n = 4, score = 200
            //   83eb01               | sub                 ebx, 1
            //   85db                 | test                ebx, ebx
            //   75b4                 | jne                 0xffffffb6
            //   90                   | nop                 

        $sequence_7 = { 77d8 c7c001000000 d3e0 09454c ebcb }
            // n = 5, score = 200
            //   77d8                 | ja                  0xffffffda
            //   c7c001000000         | mov                 eax, 1
            //   d3e0                 | shl                 eax, cl
            //   09454c               | or                  dword ptr [ebp + 0x4c], eax
            //   ebcb                 | jmp                 0xffffffcd

        $sequence_8 = { 803801 7529 8b45f4 83780c00 7520 8b45f4 }
            // n = 6, score = 200
            //   803801               | cmp                 byte ptr [eax], 1
            //   7529                 | jne                 0x2b
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   83780c00             | cmp                 dword ptr [eax + 0xc], 0
            //   7520                 | jne                 0x22
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]

        $sequence_9 = { 3b55dc 750b 3b45d8 0f8217ffffff eb06 }
            // n = 5, score = 200
            //   3b55dc               | cmp                 edx, dword ptr [ebp - 0x24]
            //   750b                 | jne                 0xd
            //   3b45d8               | cmp                 eax, dword ptr [ebp - 0x28]
            //   0f8217ffffff         | jb                  0xffffff1d
            //   eb06                 | jmp                 8

        $sequence_10 = { 8945b4 c645b800 e8???????? 8d4da8 8b15???????? e8???????? 8b45a8 }
            // n = 7, score = 200
            //   8945b4               | mov                 dword ptr [ebp - 0x4c], eax
            //   c645b800             | mov                 byte ptr [ebp - 0x48], 0
            //   e8????????           |                     
            //   8d4da8               | lea                 ecx, [ebp - 0x58]
            //   8b15????????         |                     
            //   e8????????           |                     
            //   8b45a8               | mov                 eax, dword ptr [ebp - 0x58]

        $sequence_11 = { 85c0 741b 83e804 85c0 752f eb24 }
            // n = 6, score = 200
            //   85c0                 | test                eax, eax
            //   741b                 | je                  0x1d
            //   83e804               | sub                 eax, 4
            //   85c0                 | test                eax, eax
            //   752f                 | jne                 0x31
            //   eb24                 | jmp                 0x26

        $sequence_12 = { 83c001 89452c eb5d c7c008000000 89452c }
            // n = 5, score = 200
            //   83c001               | add                 eax, 1
            //   89452c               | mov                 dword ptr [ebp + 0x2c], eax
            //   eb5d                 | jmp                 0x5f
            //   c7c008000000         | mov                 eax, 8
            //   89452c               | mov                 dword ptr [ebp + 0x2c], eax

        $sequence_13 = { 8b54240c f00fc74d00 3b54240c 75ce 3b442408 75c8 }
            // n = 6, score = 200
            //   8b54240c             | mov                 edx, dword ptr [esp + 0xc]
            //   f00fc74d00           | lock cmpxchg8b      qword ptr [ebp]
            //   3b54240c             | cmp                 edx, dword ptr [esp + 0xc]
            //   75ce                 | jne                 0xffffffd0
            //   3b442408             | cmp                 eax, dword ptr [esp + 8]
            //   75c8                 | jne                 0xffffffca

        $sequence_14 = { 8bc6 e8???????? 50 e8???????? 85c0 7415 8b5db4 }
            // n = 7, score = 200
            //   8bc6                 | mov                 eax, esi
            //   e8????????           |                     
            //   50                   | push                eax
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7415                 | je                  0x17
            //   8b5db4               | mov                 ebx, dword ptr [ebp - 0x4c]

    condition:
        7 of them and filesize < 6717440
}
Download all Yara Rules