ServHelper

ServHelper is a backdoor first observed in late 2018. The backdoor is written in Delphi and is typically delivered as a DLL file.[1]

ID: S0382
Type: MALWARE
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface

ServHelper can execute shell commands against cmd.[1][2]

Enterprise T1043 Commonly Used Port

ServHelper has used port 80 and 443 for C2.[1]

Enterprise T1136 Create Account

ServHelper may create a new account and add the new user to the "Remote Desktop Users" and "Administrators" groups.[1]

Enterprise T1107 File Deletion

ServHelper has a module to delete itself from the infected machine.[1][2]

Enterprise T1060 Registry Run Keys / Startup Folder

ServHelper may attempt to establish persistence via the HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ run key.[2]

Enterprise T1076 Remote Desktop Protocol

ServHelper has commands for adding a remote desktop user and sending RDP traffic to the attacker through a reverse SSH tunnel.[1]

Enterprise T1105 Remote File Copy

ServHelper may download additional files to execute.[1][2]

Enterprise T1085 Rundll32

ServHelper contains a module for downloading and executing DLLs that leverages rundll32.exe.[2]

Enterprise T1053 Scheduled Task

ServHelper contains modules that will use schtasks to carry out malicious operations.[1]

Enterprise T1071 Standard Application Layer Protocol

ServHelper uses HTTP for C2.[1]

Enterprise T1032 Standard Cryptographic Protocol

ServHelper may set up a reverse SSH tunnel to give the attacker access to services running on the victim, such as RDP.[1]

Enterprise T1082 System Information Discovery

ServHelper will attempt to enumerate Windows version and system architecture.[1]

Enterprise T1033 System Owner/User Discovery

ServHelper will attempt to enumerate the username of the victim.[1]

Groups That Use This Software

ID Name References
G0092 TA505 [1] [3] [2]

References