TA505 Group Pushes Signed ServHelper Backdoor

Delaware, USA – April 25, 2019 – The researchers intercepted the attack of the TA505 hacker group targeted at a large financial organization and analyzed the techniques and tools of cybercriminals. TA505 has been conducting its operations for about 5 years; previously, the group used large-scale malspam campaigns to distribute RATs, ransomware and banking trojans. In the attack discovered by Cybereason, the adversaries switched to a targeted spear-phishing attack, sending only a small number of carefully crafted emails to several employees of a financial organization. The emails contained MS Excel file with a macro that abuses legitimate Windows binaries to download and deploy ServHelper backdoor. In total, 4 LOLBins were involved in the infection process. The final payload was properly signed by a certificate issued by Sectigo RSA Code Signing CA, and this happened just a few hours before the attack began. The malware scans the system and sends data to the C&C server, from which it then receives instructions on how to ensure persistence. The new version of ServHelper is equipped with a mechanism for self-destruction and removal of all traces of attack, as well as a list of “spare” addresses of C&C servers in case the main one is blocked.

The researchers note that the financially motivated group has begun to use techniques that are typically used in state-sponsored attacks, such as using living off the land binaries or signing malware with valid certificates. Estimating the small list of targets and the time that has passed since the preparation of the malware to the start of the attack, the attackers have already carried out reconnaissance and selected the most suitable victims. You can detect suspicious actions that may indicate the beginning of an attack on your organization using SIEM and specialized rule packs available at Threat Detection Marketplace:
Sysmon Framework – https://my.socprime.com/en/integrations/sysmon-framework-arcsight
Threat Hunting Framework – https://my.socprime.com/en/integrations/threat-hunting-framework-arcsight