Helminth is a backdoor that has at least two variants - one written in VBScript and PowerShell that is delivered via a macros in Excel spreadsheets, and one that is a standalone Windows executable. [1]

ID: S0170
Contributors: Robert Falcone

Platforms: Windows

Version: 1.0

Techniques Used

EnterpriseT1119Automated CollectionA Helminth VBScript receives a batch script to execute a set of commands in a command prompt.[1]
EnterpriseT1115Clipboard DataThe executable version of Helminth has a module to log clipboard contents.[1]
EnterpriseT1116Code SigningHelminth samples have been signed with legitimate, compromised code signing certificates owned by software company AI Squared.[2]
EnterpriseT1059Command-Line InterfaceHelminth can provide a remote shell.[1]
EnterpriseT1132Data EncodingFor C2 over HTTP, Helminth encodes data with base64 and sends it via the "Cookie" field of HTTP requests. For C2 over DNS, Helminth converts ASCII characters into their hexadecimal values and sends the data in cleartext.[1]
EnterpriseT1074Data StagedHelminth creates folders to store output from batch scripts prior to sending the information to its C2 server.[1]
EnterpriseT1030Data Transfer Size LimitsHelminth splits data into chunks up to 23 bytes and sends the data in DNS queries to its C2 server.[1]
EnterpriseT1056Input CaptureThe executable version of Helminth has a module to log keystrokes.[1]
EnterpriseT1027Obfuscated Files or InformationThe Helminth config file is encrypted with RC4.[1]
EnterpriseT1069Permission Groups DiscoveryHelminth has checked for the local admin group domain admin group and Exchange Trusted Subsystem groups using the commands net group Exchange Trusted Subsystem /domain and net group domain admins /domain.[3]
EnterpriseT1086PowerShellOne version of Helminth uses a PowerShell script.[1]
EnterpriseT1057Process DiscoveryHelminth has used Tasklist to get information on processes.[3]
EnterpriseT1060Registry Run Keys / Startup FolderHelminth establishes persistence by creating a shortcut in the Start Menu folder.[1]
EnterpriseT1105Remote File CopyHelminth can download additional files.[1]
EnterpriseT1053Scheduled TaskHelminth has used a scheduled task for persistence.[2]
EnterpriseT1064ScriptingOne version of Helminth consists of VBScript and PowerShell scripts. The malware also uses batch scripting.[1]
EnterpriseT1023Shortcut ModificationHelminth establishes persistence by creating a shortcut.[1]
EnterpriseT1071Standard Application Layer ProtocolHelminth can use HTTP or DNS for C2.[1]
EnterpriseT1032Standard Cryptographic ProtocolHelminth encrypts data sent to its C2 server over HTTP with RC4.[1]


Groups that use this software: