SYMBOLCOMMON_NAMEaka. SYNONYMS
win.servhelper (Back to overview)

ServHelper

Actor(s): TA505

URLhaus    

ServHelper is written in Delphi and according to ProofPoint best classified as a backdoor.

ProofPoint noticed two distinct variant - "tunnel" and "downloader" (citation):
"The 'tunnel' variant has more features and focuses on setting up reverse SSH tunnels to allow the threat actor to access the infected host via Remote Desktop Protocol (RDP). Once ServHelper establishes remote desktop access, the malware contains functionality for the threat actor to 'hijack' legitimate user accounts or their web browser profiles and use them as they see fit. The 'downloader' variant is stripped of the tunneling and hijacking functionality and is used as a basic downloader."

References
2020-08-20CERT-FRCERT-FR
@techreport{certfr:20200820:development:d518522, author = {CERT-FR}, title = {{Development of the Activity of the TA505 Cybercriminal Group}}, date = {2020-08-20}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf}, language = {English}, urldate = {2020-08-28} } Development of the Activity of the TA505 Cybercriminal Group
AndroMut Bart Clop Dridex FlawedAmmyy FlawedGrace Get2 Locky Marap QuantLoader SDBbot ServHelper tRat TrickBot
2020-07-09GdataG DATA Security Lab
@online{lab:20200709:servhelper:13899fd, author = {G DATA Security Lab}, title = {{ServHelper: Hidden Miners}}, date = {2020-07-09}, organization = {Gdata}, url = {https://www.gdatasoftware.com/blog/2020/07/36122-hidden-miners}, language = {English}, urldate = {2020-07-16} } ServHelper: Hidden Miners
ServHelper
2020-06-22CERT-FRCERT-FR
@techreport{certfr:20200622:volution:fba1cfa, author = {CERT-FR}, title = {{Évolution De Lactivité du Groupe Cybercriminel TA505}}, date = {2020-06-22}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf}, language = {French}, urldate = {2020-06-24} } Évolution De Lactivité du Groupe Cybercriminel TA505
Amadey AndroMut Bart Clop Dridex FlawedGrace Gandcrab Get2 GlobeImposter Jaff Locky Marap Philadephia Ransom QuantLoader Scarab Ransomware SDBbot ServHelper Silence tRat TrickBot
2020-05-21Intel 471Intel 471
@online{471:20200521:brief:048d164, author = {Intel 471}, title = {{A brief history of TA505}}, date = {2020-05-21}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/}, language = {English}, urldate = {2020-05-23} } A brief history of TA505
AndroMut Bart Dridex FlawedAmmyy FlawedGrace Gandcrab Get2 GlobeImposter Jaff Kegotip Locky Necurs Philadephia Ransom Pony QuantLoader Rockloader SDBbot ServHelper Shifu Snatch TrickBot
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020-01-09SonicWallSonicWall
@online{sonicwall:20200109:servhelper:3e6a00c, author = {SonicWall}, title = {{ServHelper 2.0: Enriched with bot capabilities and allow remote desktop access}}, date = {2020-01-09}, organization = {SonicWall}, url = {https://securitynews.sonicwall.com/xmlpost/servhelper-2-0-enriched-with-bot-capabilities-and-allow-remote-desktop-access/}, language = {English}, urldate = {2020-09-18} } ServHelper 2.0: Enriched with bot capabilities and allow remote desktop access
ServHelper
2020SecureworksSecureWorks
@online{secureworks:2020:gold:f38f910, author = {SecureWorks}, title = {{GOLD TAHOE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-tahoe}, language = {English}, urldate = {2020-05-23} } GOLD TAHOE
Clop FlawedAmmyy FlawedGrace Get2 SDBbot ServHelper TA505
2019-12-20Binary DefenseJames Quinn
@online{quinn:20191220:updated:2408ee7, author = {James Quinn}, title = {{An Updated ServHelper Tunnel Variant}}, date = {2019-12-20}, organization = {Binary Defense}, url = {https://www.binarydefense.com/an-updated-servhelper-tunnel-variant/}, language = {English}, urldate = {2020-01-13} } An Updated ServHelper Tunnel Variant
ServHelper
2019-12-17BluelivAdrián Ruiz, Jose Miguel Esparza, Blueliv Labs Team
@online{ruiz:20191217:ta505:1c1204e, author = {Adrián Ruiz and Jose Miguel Esparza and Blueliv Labs Team}, title = {{TA505 evolves ServHelper, uses Predator The Thief and Team Viewer Hijacking}}, date = {2019-12-17}, organization = {Blueliv}, url = {https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/servhelper-evolution-and-new-ta505-campaigns/}, language = {English}, urldate = {2020-01-09} } TA505 evolves ServHelper, uses Predator The Thief and Team Viewer Hijacking
ServHelper TA505
2019-08-29ThreatReconThreatRecon Team
@online{team:20190829:sectorj04:ce6cc4b, author = {ThreatRecon Team}, title = {{SectorJ04 Group’s Increased Activity in 2019}}, date = {2019-08-29}, organization = {ThreatRecon}, url = {https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/}, language = {English}, urldate = {2019-10-13} } SectorJ04 Group’s Increased Activity in 2019
FlawedAmmyy ServHelper TA505
2019-08-27Trend MicroHara Hiroaki, Jaromír Hořejší, Loseway Lu
@online{hiroaki:20190827:ta505:9bcbff1, author = {Hara Hiroaki and Jaromír Hořejší and Loseway Lu}, title = {{TA505 At It Again: Variety is the Spice of ServHelper and FlawedAmmyy}}, date = {2019-08-27}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy/}, language = {English}, urldate = {2019-11-27} } TA505 At It Again: Variety is the Spice of ServHelper and FlawedAmmyy
FlawedAmmyy ServHelper
2019-04-25CybereasonCybereason Nocturnus
@online{nocturnus:20190425:threat:63e7d51, author = {Cybereason Nocturnus}, title = {{Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware}}, date = {2019-04-25}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware}, language = {English}, urldate = {2020-01-08} } Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware
ServHelper TA505
2019-04-02DeepInstinctShaul Vilkomir-Preisman
@online{vilkomirpreisman:20190402:new:4dbdc56, author = {Shaul Vilkomir-Preisman}, title = {{New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload}}, date = {2019-04-02}, organization = {DeepInstinct}, url = {https://www.deepinstinct.com/2019/04/02/new-servhelper-variant-employs-excel-4-0-macro-to-drop-signed-payload/}, language = {English}, urldate = {2019-07-11} } New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload
ServHelper
2019-01-24奇安信威胁情报中心事件追踪
@online{:20190124:excel:2dd401c, author = {事件追踪}, title = {{Excel 4.0 Macro Utilized by TA505 to Target Financial Institutions Recently}}, date = {2019-01-24}, organization = {奇安信威胁情报中心}, url = {https://ti.360.net/blog/articles/excel-4.0-macro-utilized-by-ta505-to-target-financial-institutions-recently-en/}, language = {English}, urldate = {2019-12-02} } Excel 4.0 Macro Utilized by TA505 to Target Financial Institutions Recently
ServHelper
2019-01-09ProofpointDennis Schwarz, Proofpoint Staff
@online{schwarz:20190109:servhelper:e20586c, author = {Dennis Schwarz and Proofpoint Staff}, title = {{ServHelper and FlawedGrace - New malware introduced by TA505}}, date = {2019-01-09}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505}, language = {English}, urldate = {2019-12-20} } ServHelper and FlawedGrace - New malware introduced by TA505
FlawedGrace ServHelper
2019CyberIntCyberInt
@techreport{cyberint:2019:legit:9925ea3, author = {CyberInt}, title = {{Legit Remote Admin Tools Turn into Threat Actors' Tools}}, date = {2019}, institution = {CyberInt}, url = {https://e.cyberint.com/hubfs/Report%20Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%20Tools/CyberInt_Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors'%20Tools_Report.pdf}, language = {English}, urldate = {2019-12-19} } Legit Remote Admin Tools Turn into Threat Actors' Tools
RMS ServHelper TA505
Yara Rules
[TLP:WHITE] win_servhelper_auto (20200817 | autogenerated rule brought to you by yara-signator)
rule win_servhelper_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-08-17"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.servhelper"
        malpedia_rule_date = "20200817"
        malpedia_hash = "8c895fd01eccb47a6225bcb1a3ba53cbb98644c5"
        malpedia_version = "20200817"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7406 66b82200 eb04 66b800ff }
            // n = 4, score = 200
            //   7406                 | je                  8
            //   66b82200             | mov                 ax, 0x22
            //   eb04                 | jmp                 6
            //   66b800ff             | mov                 ax, 0xff00

        $sequence_1 = { 7700 69006e006800 7400 7400 }
            // n = 4, score = 200
            //   7700                 | ja                  2
            //   69006e006800         | imul                eax, dword ptr [eax], 0x68006e
            //   7400                 | je                  2
            //   7400                 | je                  2

        $sequence_2 = { 64ff30 648920 8d45fc 8b0d???????? ba???????? }
            // n = 5, score = 200
            //   64ff30               | push                dword ptr fs:[eax]
            //   648920               | mov                 dword ptr fs:[eax], esp
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   8b0d????????         |                     
            //   ba????????           |                     

        $sequence_3 = { 5b c3 53 8bda b902000000 }
            // n = 5, score = 200
            //   5b                   | pop                 ebx
            //   c3                   | ret                 
            //   53                   | push                ebx
            //   8bda                 | mov                 ebx, edx
            //   b902000000           | mov                 ecx, 2

        $sequence_4 = { eb04 5a 58 7e06 8b75d8 2b75d0 8d55fc }
            // n = 7, score = 200
            //   eb04                 | jmp                 6
            //   5a                   | pop                 edx
            //   58                   | pop                 eax
            //   7e06                 | jle                 8
            //   8b75d8               | mov                 esi, dword ptr [ebp - 0x28]
            //   2b75d0               | sub                 esi, dword ptr [ebp - 0x30]
            //   8d55fc               | lea                 edx, [ebp - 4]

        $sequence_5 = { 7400 7000 2e0064006c 006c0000 }
            // n = 4, score = 200
            //   7400                 | je                  2
            //   7000                 | jo                  2
            //   2e0064006c           | add                 byte ptr cs:[eax + eax + 0x6c], ah
            //   006c0000             | add                 byte ptr [eax + eax], ch

        $sequence_6 = { e8???????? 7512 8d4310 e8???????? 8d4314 e8???????? }
            // n = 6, score = 200
            //   e8????????           |                     
            //   7512                 | jne                 0x14
            //   8d4310               | lea                 eax, [ebx + 0x10]
            //   e8????????           |                     
            //   8d4314               | lea                 eax, [ebx + 0x14]
            //   e8????????           |                     

        $sequence_7 = { e8???????? 84c0 7406 66b82200 }
            // n = 4, score = 200
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   7406                 | je                  8
            //   66b82200             | mov                 ax, 0x22

        $sequence_8 = { 75ec 8b4604 e8???????? b2fc 22d3 8bc6 e8???????? }
            // n = 7, score = 200
            //   75ec                 | jne                 0xffffffee
            //   8b4604               | mov                 eax, dword ptr [esi + 4]
            //   e8????????           |                     
            //   b2fc                 | mov                 dl, 0xfc
            //   22d3                 | and                 dl, bl
            //   8bc6                 | mov                 eax, esi
            //   e8????????           |                     

        $sequence_9 = { 8bc6 2b45e4 99 290424 19542404 }
            // n = 5, score = 200
            //   8bc6                 | mov                 eax, esi
            //   2b45e4               | sub                 eax, dword ptr [ebp - 0x1c]
            //   99                   | cdq                 
            //   290424               | sub                 dword ptr [esp], eax
            //   19542404             | sbb                 dword ptr [esp + 4], edx

        $sequence_10 = { 8b5578 e8???????? eb71 48 }
            // n = 4, score = 100
            //   8b5578               | mov                 edx, dword ptr [ebp + 0x78]
            //   e8????????           |                     
            //   eb71                 | jmp                 0x73
            //   48                   | dec                 eax

        $sequence_11 = { 8b5578 e8???????? eb0d 48 8b4d48 48 }
            // n = 6, score = 100
            //   8b5578               | mov                 edx, dword ptr [ebp + 0x78]
            //   e8????????           |                     
            //   eb0d                 | jmp                 0xf
            //   48                   | dec                 eax
            //   8b4d48               | mov                 ecx, dword ptr [ebp + 0x48]
            //   48                   | dec                 eax

        $sequence_12 = { 8b557c e8???????? 6683f809 74cc }
            // n = 4, score = 100
            //   8b557c               | mov                 edx, dword ptr [ebp + 0x7c]
            //   e8????????           |                     
            //   6683f809             | cmp                 ax, 9
            //   74cc                 | je                  0xffffffce

        $sequence_13 = { 8b557c 035574 4c 8b85a0000000 }
            // n = 4, score = 100
            //   8b557c               | mov                 edx, dword ptr [ebp + 0x7c]
            //   035574               | add                 edx, dword ptr [ebp + 0x74]
            //   4c                   | dec                 esp
            //   8b85a0000000         | mov                 eax, dword ptr [ebp + 0xa0]

    condition:
        7 of them and filesize < 6717440
}
Download all Yara Rules