Rewterz Threat Alert – ServHelper Backdoor – Active IOCs

Severity

High

Analysis Summary

The backdoor ServHelper was initially discovered in late 2018  while being distributed by TA505. The backdoor is often given as a DLL file and is developed in Delphi. The cybercriminal gang TA505 has been detected attacking the financial and retail industries using ServHelper. They can install and deploy additional malware such as Information Stealers and Remote Access Trojans with the aid of this backdoor (RAT) (NetSupport, FlawedAmmy). It is distributed by the NSIS installer, which is often supplied as an attachment to a lure-based email. To avoid detection, the loader checks to verify if it is executing in a virtualized environment. If this is not the case, the installation will attempt to elevate privileges using DLL hacking with the help of Fubuki from UACME. The ServHelper DLL is loaded after all components have been encrypted, dropped, and installed. The threat actors will have backdoor access and will be able to send and receive data after the installation is complete. 

The common target of this malware is the finance industry. However, TA505 is recently targeting several types of enterprises in retail and hospitality. The major goal of this organization is to make money, either by directly targeting banks and their clients or by benefitting from any opportunity related to retail account access.

Impact

• Unauthorized Access
• Exposure of Sensitive Data

Indicators of Compromise

MD5

• d58684845986d5a6b8f0da7b96de6a82
• 5c562ae32328ffa9eae957405ee1ffb4
• 636bd647230fcd59b6f702479ad6f1c2

SHA-256

• 9abaaef593baed8dc0d2c120f7f65079441f42d6c788f17c8749c2da0a0289d0
• b07c95aa3a0e5b30fce4a042b6752d02a1dac8ed475dea1ff3209b35e4d18ea7
• 36ad528c3a90e0ab44c57d5788dbeee70cb808ae1f7053f1cdaadc805ea004c2

SHA-1

• 780c77c4cefdba86da3cc704184094bde27fbf4c
• 9885195c9307e49410251461af41e458ed8b0763
• c28a889e9cea0a1a84c6e6ecde82b5d0a82e3ed8

Remediation

• Block all threat indicators at your respective controls.
• Search for IOCs in your environment.