Security Market Segment LS
Tuesday, 16 April 2019 05:49

New ServHelper malware variant looks to persist on Windows machines

New ServHelper malware variant looks to persist on Windows machines Image by Pete Linforth from Pixabay

The security firm Deep Instinct claims to have found a third variant of the ServHelper Windows malware that is being distributed by the threat actor TA505 and uses an Excel 4.0 macro Dropper, a legacy mechanism still supported by Microsoft Office, to spread.

In January, another company, Proofpoint, had said it had found two strains of this Windows pestilence, one directed at remote desktop functions and the second which is primarily a downloader for a remote access trojan known as FlawedGrace.

TA505 has also been associated with spreading other malware like Dridex, and also the Locky ransomware. ServHelper appears to be used for targeting banks, retail businesses and restaurants.

Deep Instinct malware and cyber intelligence specialist Shaul Vilkomir-Preisman told iTWire that TA505 was not associated with any specific country, but there were indications that it was from an Eastern European nation.

"Functionally, ServHelper is a fairly classic backdoor. It establishes a foothold, enables access, and carries out reconnaissance – it checks if an infected machine is part of a domain, if the user has admin privileges, gathers lists of domain admins and all other users in the domain and reports this back and awaits further instruction – these include: execute a command on the system, download additional malware, establish persistency on the infected machine," he said.

Vilkomir-Preisman said the malware used a certificate from Thawte to get past the defences of an infected machine. "We have contacted DigiCert (who operate Thawte, the issuing CA) and reported this. They were thankful for the report and revoked the certificate," he added.

Asked why threats of this kind appeared to affect only Windows systems, Vilkomir-Preisman said it was not only Windows systems there were at danger from this threat. "In recent years malware for non-Windows system has seen a significant rise, and is expected to be on the rise with the ever increasing popularity of IoT devices which tend to be very vulnerable to attack in their off-the-shelf configuration," he said.

"Additionally, once an attacker has a foot in the door, and starts to move laterally, he can just as easily target non-Windows machines which are found on the network."

He said the new ServHelper variant looked to be aimed at establishing a long-term presence on a network. "This malware is actively gathering lists of users on domains, and finding out who the domain admins are, and unlike most malware does not establish persistency by default. This is very targeted behaviour, aimed at establishing a long term presence on a network."

Vilkomir-Preisman said Deep Instinct had observed that countries in North America and south-east Asia appeared to be the main targets of this malware.


You cannot afford to miss this Dell Webinar.

With Windows 7 support ending 14th January 2020, its time to start looking at your options.

This can have significant impacts on your organisation but also presents organisations with an opportunity to fundamentally rethink the way users work.

The Details

When: Thursday, September 26, 2019
Presenter: Dell Technologies
Location: Your Computer


QLD, VIC, NSW, ACT & TAS: 11:00 am
SA, NT: 10:30 am
WA: 9:00 am NZ: 1:00 pm

Register and find out all the details you need to know below.



iTWire can help you promote your company, services, and products.


Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments