Register to stream ATT&CKcon 2.0 October 29-30


ServHelper is a backdoor first observed in late 2018. The backdoor is written in Delphi and is typically delivered as a DLL file.[1]

ID: S0382
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface ServHelper can execute shell commands against cmd. [1] [2]
Enterprise T1043 Commonly Used Port ServHelper has used port 80 and 443 for C2. [1]
Enterprise T1136 Create Account ServHelper may create a new account and add the new user to the "Remote Desktop Users" and "Administrators" groups. [1]
Enterprise T1107 File Deletion ServHelper has a module to delete itself from the infected machine. [1] [2]
Enterprise T1060 Registry Run Keys / Startup Folder ServHelper may attempt to establish persistence via the HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ run key. [2]
Enterprise T1076 Remote Desktop Protocol ServHelper has commands for adding a remote desktop user and sending RDP traffic to the attacker through a reverse SSH tunnel. [1]
Enterprise T1105 Remote File Copy ServHelper may download additional files to execute. [1] [2]
Enterprise T1085 Rundll32 ServHelper contains a module for downloading and executing DLLs that leverages rundll32.exe. [2]
Enterprise T1053 Scheduled Task ServHelper contains modules that will use schtasks to carry out malicious operations. [1]
Enterprise T1071 Standard Application Layer Protocol ServHelper uses HTTP for C2. [1]
Enterprise T1032 Standard Cryptographic Protocol ServHelper may set up a reverse SSH tunnel to give the attacker access to services running on the victim, such as RDP. [1]
Enterprise T1082 System Information Discovery ServHelper will attempt to enumerate Windows version and system architecture. [1]
Enterprise T1033 System Owner/User Discovery ServHelper will attempt to enumerate the username of the victim. [1]

Groups That Use This Software

ID Name References
G0092 TA505 [1] [3] [2]