TA505 group, which was earlier known for Dridex malware and Locky ransomware campaigns, has now been observed to deploy different techniques. A recent campaign detailed by researchers at Cybereason indicates that the threat actor group used a combination of phishing attacks and advanced tools to target computer networks of a financial institution. In order to remain undetected, the group also used the ServHelper backdoor in infected systems.
The big picture
Reconnaissance and other activities
The researchers discovered that the ServHelper malware collected information as well as conducted reconnaissance in the infected systems.
“After the execution of rundll32.exe (Windows OS process), the PowerShell script enu.ps1 is executed. This script is encoded with Base64 in order to avoid detection by antivirus products. Upon decoding the script, it is clear that the script is responsible for gathering reconnaissance on the target machine. This includes collecting information with WMI queries to identify if the user is an administrator,” Cybereason reported.
Other capabilities include a persistence mechanism followed by ServHelper as well as another internal reconnaissance process.