Introduction

ServHelper is a backdoor first spotted at the end of 2018 by Proofpoint and linked to TA505. This threat actor is known to have distributed Dridex and Locky in the past, in addition to FlawedAmmyy, FlawedGrace and Get2/SDBBot more recently, amongst others.  

This blog post will offer some analysis on developments relating to ServHelper, including detail on relevant campaigns and those threat actors related to it. ServHelper was quiet for a while but it is back with several new campaigns from the first week of December 2019. IOCs and TTPs based on ATT&CK are shared at the end of the post. 

Key Points 

• The group behind ServHelper is quite likely tied to Dridex Group or a spinoff. The modus operandi and tools are also reminiscent of a group operating legitimate remote administration tools in the past, and tied to Dridex too
• TA505 has been changing tools and infection vectors continuously in the past year, going from private backdoors, loaders and stealers to legitimate remote administration tools
• The usual targets for these attacks are in the banking sector. However, more recently TA505 targeted different kind of businesses in retail and hospitality
• This group’s primary objective is financial gain either directly targeting banks, their clients, or profiting from any opportunities relating to retail account access
• Blueliv’s data shows that the country most targeted by the group is the United States, followed by Canada, Pakistan, Philippines, United Kingdom, France and Germany

Evolution of ServHelper 

ServHelper is a backdoor first spotted by Proofpoint in November 2018 when TA505 was distributing it. The backdoor has two different variants dubbed “tunnel” and “downloader” by Proofpoint. The main objective of the “downloader” version is clear from its name: it downloads and installs additional malware, in addition to executing shell commands. The “tunnel” version borrows some commands from the “downloader” version and adds several more to create and manage a back–connect connection from the infected machine to the back–connect server, permitting the attackers a direct connection to the infected machines. 

During the first half of the year TA505 used ServHelper and FlawedAmmyy consistently, using different infection vectors like Excel or Word attachments, HTML files, .lnk files or Windows Installer files. At the end of August 2019 researchers at TrendMicro spotted new commands in ServHelper “downloader” version as well as a new use of ISO files to distribute the malware. Before that, another researcher already mentioned a new Vigenère encryption used to encrypt strings within ServHelper binaries too. 

Blueliv’s Labs team analyzed some of the latest ServHelper “tunnel” versions, identifying a variety of new commands, some of which have been present for a number of months.

Of these, we believe the most interesting ones are “deployns”, which deploys NetSupport Manager, “persist” to achieve persistence in the system via file download/execution, and commands related to keylogging and browser cookie and password theft.

In the following section we will detail some of them and avoid commands already present in other writeups: 

• deployns: This command is sent to some bots to deploy NetSupport Manager, a legitimate Remote Administration Tool, in the infected systems. The command downloads the tool compressed in a zip file and encoded with a 1-byte XOR key. More information about this can be found in this writeup. These are some of the URLs we have seen related to this activity:

• persist: This command adds persistence in the machine creating a periodic task using schtasks, which runs a PowerShell script with certain frequency (every hour in the sample we analyzed). The PowerShell script uses paths retrieved from the registry to check if some files exist, downloading a new component from a link otherwise and executing it.

• keylogstart: It adds keylogging functionalities to the malware, registering keystrokes in a “tv.txt” file located in “C:\Windows\temp\”.
   
• keyloglist: This command permits verification if the keylogger is running already, looking for the existence of the pipe “\\.\pipe\txtpipe”. If it does not find the pipe it returns an error message to the C2.
   
• keylogreset: Empties the file used to register the keystrokes.  
    
• keylogdel: Kills any active keylogger instance.
   
• getkeylog: Retrieves the keystrokes from the “tv.txt” file and sends them to the control panel.

• info: This command gathers information about the infected system (CPU, graphic adapter, memory, Internet speed…) using a PowerShell script and sends that to the C2.  

• getchromepasswords: It gets the content of the file “logins_read.txt”, which has been previously filled in with stored Chrome passwords, and sends this to the control panel. This file can be found in the Windows temp directory (C:/Windows/temp). 
   
• getmozillacookies / getchromecookies: It gets the content of the files “moz.txt” and “cookies.txt”, respectively, which has been previously filled in with Firefox and Chrome cookies, and sends that to the control panel. These files can be found in the Windows temp directory (C:/Windows/temp).
   
• search: This command sends the number of the collected cookies stored in the files mentioned in the previous comment to the C2. In case no cookies are found then it sends “mozilla/chrome cookies not found” to the control panel.
   
• sshurl: It sets/retrieves the URL used to download the SSH client for Windows systems, which is used to establish the tunnel to the infected machine.
   
• setcopyurl: It sets/retrieves the URL used to download a password-protected RAR containing the tool “Runtime’s Shadow Copy”, used to copy files which are in use by the operating system. This URL and tool are used by the commands “fox” and “chrome” to copy the Firefox and Chrome profiles without problems.
   
• fixrdp: This command modifies the RDP configuration in the Windows registry to avoid the server identity verification (sets “HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\AuthenticationLevelOverride” to 0) and creates a scheduled task to restart the computer. 
   
• updateuser: Uses the command “net.exe” to make sure that the current user can connect via RDP and has Admin privileges, adding the user to the groups “Remote Desktop User” and “Administrators”.
    
• update: This the command which is used with a URL as a parameter in order to download a new executable and update the bot.
    
• reboot: It creates a task to restart the computer using the command “shutdown /r /f”, launches the task and removes it.

Relevant Campaign Analysis 

During the past year we witnessed several TA505 campaigns where ServHelper was installed on victims’ computers. Some of them have been covered by Proofpoint, TrendMicro and other vendors, but due to sheer volume many of have not been assessed publicly. 

For instance, in December 2018 TA505 carried out a malspam Christmas campaign against banks worldwide by attaching excel files. It was not something new in terms of modus operandi or attack vector, but it is still relevant because of its seasonality and its targets: banking entities in countries including Chile, Italy, India or South Africa. Indeed, banking entities continued to be a prime target for a good part of the first half of the year in Ireland, Japan, Hong Kong, Turkey, Malta and Philippines amongst others. 

Since October 2019, activity related to ServHelper decreased. However, at the beginning of December new campaigns were detected.

In this section, we focus on a campaign from the end of September and involving a stealer, Predator The Thief and Team Viewer, in addition to the usual ServHelper sample. The attack vector is again a malspam campaign, but this time including a .doc file which is actually a .docx file (a2e77ee41f4d4d3e8814d07d26ec5be3). 

The malicious document includes obfuscated macros which create a BAT file in the Windows temporary directory. It execute it via cmd.exe. The BAT file contains the following line:

This command launch msiexec to download, install and execute additional malware in the system, making use of Windows Installer.

After executing the downloaded file, WinDef.msi, several files are uncompressed in a temporal directory: 

We detail the most relevant information about those files in the following subsections: 

crypted.exe 

This binary is a variant of Predator The Thief, more specifically, version 3.3.1. Predator The Thief is a stealer which collects information like stored passwords, cookies, credit card information, crypto wallets, etc. and report all back to its control panel. In this case, the malicious domain where all the data is sent is soul-fly[.]xyz.

It is not the first time we see a stealer related to TA505 and ServHelper, as we have seen infection overlaps with some specific AZORult and KPOT botnets.  

DEFOFF.exe 

This executable contains a layer of encryption to make the analysis harder, but its behavior is quite simple. The only objective of this malicious code is using the function ShellExecuteExW to execute a PowerShell command encoded in Base64. This PowerShell command re-configures Windows Defender, deactivating real–time protection, avoiding the application sending samples automatically to Microsoft, and other configurations to try to make the attack less detectable. It is quite likely that this component is a piece of code which is available in different underground communities and used by different cybercriminals. 

LDR_5622.js 

This file is a JavaScript file which is obfuscated with two different layers and which finally executes two PowerShell commands in order to download and launch additional malware from the following URLs: 

The first URL downloads another WinDef.exe file whose content is similar to the WinDef.exe files that we are describing, but also includes a 64 bit version of Predator The Thief (gookld.exe). 

The second URL was not active at the moment of the analysis, so we could not identify the malware related to it. 

signed.exe 

This executable is ServHelper, which copies a PowerShell command in the user temporary directory and executes it. As mentioned in other ServHelper analyses, the PowerShell command includes a string encoded in Base64 which is also encrypted with TripleDES. After the decryption we obtain a long script which ServHelper uses to configure and load different components and functionalities. We highlight here two different functions: heller and install. 

• heller: This function will be responsible of bypassing UAC using the Windows cloning and restoring component, Sysprep.exe, and hijacking the DLL CRYPTBASE.dll. As it is not possible to write directly in the path “%systemroot%\System32\Sysprep” to carry out the hijack, ServHelper makes use of another Windows component, wusa.exe, which permits Windows Update installations in standalone mode. wusa.exe can handle CAB files, among others, so ServHelper creates a CAB file using makecab.exe, another Windows tool, including the malicious DLL. When Sysprep is executed it loads the malicious DLL due to the DLL hijacking. This technique is mentioned in the UACMe tool.
   
• install: Thanks to this function ServHelper installs the following components, which come encoded with Base64.
  • bot: ServHelper DLL which will be copied to “%systemroot%\help\tmp5212.dat”. 
  • bot64: 64-bit version of bot.
  • rdp: It is the RDP Wrapper Library which will be executed together with the RDP server installed in “%systemroot%\help\tmp5211.dat”. One of the main functionalities is permitting concurrent connections to the infected machine.
  • rdp64: 64-bit version of rdp.
  • cfg: RDP Wrapper Library configuration, copied to “%systemroot%\help\tmp5213.dat”.
  • clip: Legitimate rdpclip.exe. If it is not present already in the infected system, it will be copied to “%systemroot%\system32\rdpclip.exe”. 
  • vmt: Legitimate rfxvmt.dll. If it is not present already in the infected system, it will be copied to “%systemroot%\system32\rfxvmt.dll”.

This campaign belongs to the ServHelper botnet which uses the communication key “tkerrrwra” and XOR key “tea”. We have seen that this botnet is most active currently, being April 2019 the moment when we saw the first samples related to it. 

TeamViewer Hijacking

Most of the Team Viewer files that are extracted from WinDef.exe are legitimate files of Team Viewer version 11.0.64630.0:

• TeamViewer.ini
• TeamViewer_Desktop.exe
• TeamViewer_Resource_en.dll
• TeamViewer_StaticRes.dll
• windef.exe

However, the DLL msi.dll is not a legitimate Team Viewer file, but a malicious DLL which is loaded also as a result of DLL hijacking and takes advantage of the Windows DLL loading order. When the TeamViewer launcher, windef.exe, is executed, it finds the malicious msi.dll and loads it into memory. This malicious DLL is used to intercept different Team Viewer functions in order to hide the application window and send the session ID, password and system information to the configured C2: