Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Инструмент ServHelper
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Инструмент
ServHelper
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

ServHelper

ServHelper is a backdoor first observed in late 2018. The backdoor is written in Delphi and is typically delivered as a DLL file.(Citation: Proofpoint TA505 Jan 2019)
ID: S0382
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 29 May 2019
Last Modified: 29 May 2020

Techniques Used
Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

ServHelper uses HTTP for C2.(Citation: Proofpoint TA505 Jan 2019)
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

ServHelper may attempt to establish persistence via the HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ run key.(Citation: Deep Instinct TA505 Apr 2019)
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

ServHelper has the ability to execute a PowerShell script to get information from the infected host.(Citation: Trend Micro TA505 June 2019)
.003 Command and Scripting Interpreter: Windows Command Shell

ServHelper can execute shell commands against cmd.(Citation: Proofpoint TA505 Jan 2019)(Citation: Deep Instinct TA505 Apr 2019)

Enterprise T1136 .001 Create Account: Local Account

ServHelper has created a new user and added it to the "Remote Desktop Users" and "Administrators" groups.(Citation: Proofpoint TA505 Jan 2019)
Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

ServHelper may set up a reverse SSH tunnel to give the attacker access to services running on the victim, such as RDP.(Citation: Proofpoint TA505 Jan 2019)
Enterprise T1070 .004 Indicator Removal: File Deletion

ServHelper has a module to delete itself from the infected machine.(Citation: Proofpoint TA505 Jan 2019)(Citation: Deep Instinct TA505 Apr 2019)
Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

ServHelper has commands for adding a remote desktop user and sending RDP traffic to the attacker through a reverse SSH tunnel.(Citation: Proofpoint TA505 Jan 2019)
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

ServHelper contains modules that will use schtasks to carry out malicious operations.(Citation: Proofpoint TA505 Jan 2019)
Enterprise T1218 .011 System Binary Proxy Execution: Rundll32

ServHelper contains a module for downloading and executing DLLs that leverages rundll32.exe.(Citation: Deep Instinct TA505 Apr 2019)

Groups That Use This Software
ID Name References
G0092 TA505

(Citation: Proofpoint TA505 Jan 2019) (Citation: Cybereason TA505 April 2019) (Citation: Deep Instinct TA505 Apr 2019) (Citation: Trend Micro TA505 June 2019)

References

  1. Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019.
  2. Vilkomir-Preisman, S. (2019, April 2). New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload. Retrieved May 28, 2019.
  3. Salem, E. (2019, April 25). Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware. Retrieved May 28, 2019.
  4. Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group’s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.