ServHelper
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
ServHelper uses HTTP for C2.(Citation: Proofpoint TA505 Jan 2019) |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
ServHelper may attempt to establish persistence via the |
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
ServHelper has the ability to execute a PowerShell script to get information from the infected host.(Citation: Trend Micro TA505 June 2019) |
| .003 | Command and Scripting Interpreter: Windows Command Shell |
ServHelper can execute shell commands against cmd.(Citation: Proofpoint TA505 Jan 2019)(Citation: Deep Instinct TA505 Apr 2019) |
||
| Enterprise | T1136 | .001 | Create Account: Local Account |
ServHelper has created a new user and added it to the "Remote Desktop Users" and "Administrators" groups.(Citation: Proofpoint TA505 Jan 2019) |
| Enterprise | T1573 | .002 | Encrypted Channel: Asymmetric Cryptography |
ServHelper may set up a reverse SSH tunnel to give the attacker access to services running on the victim, such as RDP.(Citation: Proofpoint TA505 Jan 2019) |
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
ServHelper has a module to delete itself from the infected machine.(Citation: Proofpoint TA505 Jan 2019)(Citation: Deep Instinct TA505 Apr 2019) |
| Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol |
ServHelper has commands for adding a remote desktop user and sending RDP traffic to the attacker through a reverse SSH tunnel.(Citation: Proofpoint TA505 Jan 2019) |
| Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
ServHelper contains modules that will use schtasks to carry out malicious operations.(Citation: Proofpoint TA505 Jan 2019) |
| Enterprise | T1218 | .011 | System Binary Proxy Execution: Rundll32 |
ServHelper contains a module for downloading and executing DLLs that leverages |
Groups That Use This Software |
||
| ID | Name | References |
|---|---|---|
| G0092 | TA505 |
(Citation: Proofpoint TA505 Jan 2019) (Citation: Cybereason TA505 April 2019) (Citation: Deep Instinct TA505 Apr 2019) (Citation: Trend Micro TA505 June 2019) |
References
- Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019.
- Vilkomir-Preisman, S. (2019, April 2). New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload. Retrieved May 28, 2019.
- Salem, E. (2019, April 25). Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware. Retrieved May 28, 2019.
- Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group’s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.