Security Market Segment LS
Tuesday, 16 April 2019 05:49

New ServHelper malware variant looks to persist on Windows machines

New ServHelper malware variant looks to persist on Windows machines Image by Pete Linforth from Pixabay

The security firm Deep Instinct claims to have found a third variant of the ServHelper Windows malware that is being distributed by the threat actor TA505 and uses an Excel 4.0 macro Dropper, a legacy mechanism still supported by Microsoft Office, to spread.

In January, another company, Proofpoint, had said it had found two strains of this Windows pestilence, one directed at remote desktop functions and the second which is primarily a downloader for a remote access trojan known as FlawedGrace.

TA505 has also been associated with spreading other malware like Dridex, and also the Locky ransomware. ServHelper appears to be used for targeting banks, retail businesses and restaurants.

Deep Instinct malware and cyber intelligence specialist Shaul Vilkomir-Preisman told iTWire that TA505 was not associated with any specific country, but there were indications that it was from an Eastern European nation.

"Functionally, ServHelper is a fairly classic backdoor. It establishes a foothold, enables access, and carries out reconnaissance – it checks if an infected machine is part of a domain, if the user has admin privileges, gathers lists of domain admins and all other users in the domain and reports this back and awaits further instruction – these include: execute a command on the system, download additional malware, establish persistency on the infected machine," he said.

Vilkomir-Preisman said the malware used a certificate from Thawte to get past the defences of an infected machine. "We have contacted DigiCert (who operate Thawte, the issuing CA) and reported this. They were thankful for the report and revoked the certificate," he added.

Asked why threats of this kind appeared to affect only Windows systems, Vilkomir-Preisman said it was not only Windows systems there were at danger from this threat. "In recent years malware for non-Windows system has seen a significant rise, and is expected to be on the rise with the ever increasing popularity of IoT devices which tend to be very vulnerable to attack in their off-the-shelf configuration," he said.

"Additionally, once an attacker has a foot in the door, and starts to move laterally, he can just as easily target non-Windows machines which are found on the network."

He said the new ServHelper variant looked to be aimed at establishing a long-term presence on a network. "This malware is actively gathering lists of users on domains, and finding out who the domain admins are, and unlike most malware does not establish persistency by default. This is very targeted behaviour, aimed at establishing a long term presence on a network."

Vilkomir-Preisman said Deep Instinct had observed that countries in North America and south-east Asia appeared to be the main targets of this malware.


26-27 February 2020 | Hilton Brisbane

Connecting the region’s leading data analytics professionals to drive and inspire your future strategy

Leading the data analytics division has never been easy, but now the challenge is on to remain ahead of the competition and reap the massive rewards as a strategic executive.

Do you want to leverage data governance as an enabler?Are you working at driving AI/ML implementation?

Want to stay abreast of data privacy and AI ethics requirements? Are you working hard to push predictive analytics to the limits?

With so much to keep on top of in such a rapidly changing technology space, collaboration is key to success. You don't need to struggle alone, network and share your struggles as well as your tips for success at CDAO Brisbane.

Discover how your peers have tackled the very same issues you face daily. Network with over 140 of your peers and hear from the leading professionals in your industry. Leverage this community of data and analytics enthusiasts to advance your strategy to the next level.

Download the Agenda to find out more


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments