Security Market Segment LS
Tuesday, 16 April 2019 05:49

New ServHelper malware variant looks to persist on Windows machines

By
New ServHelper malware variant looks to persist on Windows machines Image by Pete Linforth from Pixabay

The security firm Deep Instinct claims to have found a third variant of the ServHelper Windows malware that is being distributed by the threat actor TA505 and uses an Excel 4.0 macro Dropper, a legacy mechanism still supported by Microsoft Office, to spread.

In January, another company, Proofpoint, had said it had found two strains of this Windows pestilence, one directed at remote desktop functions and the second which is primarily a downloader for a remote access trojan known as FlawedGrace.

TA505 has also been associated with spreading other malware like Dridex, and also the Locky ransomware. ServHelper appears to be used for targeting banks, retail businesses and restaurants.

Deep Instinct malware and cyber intelligence specialist Shaul Vilkomir-Preisman told iTWire that TA505 was not associated with any specific country, but there were indications that it was from an Eastern European nation.

"Functionally, ServHelper is a fairly classic backdoor. It establishes a foothold, enables access, and carries out reconnaissance – it checks if an infected machine is part of a domain, if the user has admin privileges, gathers lists of domain admins and all other users in the domain and reports this back and awaits further instruction – these include: execute a command on the system, download additional malware, establish persistency on the infected machine," he said.

Vilkomir-Preisman said the malware used a certificate from Thawte to get past the defences of an infected machine. "We have contacted DigiCert (who operate Thawte, the issuing CA) and reported this. They were thankful for the report and revoked the certificate," he added.

Asked why threats of this kind appeared to affect only Windows systems, Vilkomir-Preisman said it was not only Windows systems there were at danger from this threat. "In recent years malware for non-Windows system has seen a significant rise, and is expected to be on the rise with the ever increasing popularity of IoT devices which tend to be very vulnerable to attack in their off-the-shelf configuration," he said.

"Additionally, once an attacker has a foot in the door, and starts to move laterally, he can just as easily target non-Windows machines which are found on the network."

He said the new ServHelper variant looked to be aimed at establishing a long-term presence on a network. "This malware is actively gathering lists of users on domains, and finding out who the domain admins are, and unlike most malware does not establish persistency by default. This is very targeted behaviour, aimed at establishing a long term presence on a network."

Vilkomir-Preisman said Deep Instinct had observed that countries in North America and south-east Asia appeared to be the main targets of this malware.

LEARN HOW TO REDUCE YOUR RISK OF A CYBER ATTACK

Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has high potential to be exposed to risk.

It only takes one awry email to expose an accounts payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 steps to improve your Business Cyber Security’ you will learn some simple steps you should be taking to prevent devastating malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you will learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips

DOWNLOAD NOW!

ADVERTISE ON ITWIRE NEWS SITE & NEWSLETTER

iTWire can help you promote your company, services, and products.

Get more LEADS & MORE SALES

Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]

OR CLICK HERE!

Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

VENDOR NEWS & EVENTS

REVIEWS

Recent Comments