loader gif

TA505 group uses LOLBins and ServHelper backdoor to compromise financial firms

TA505 group uses LOLBins and ServHelper backdoor to compromise financial firms
  • Extensive research revealed that the threat actor group was using multiple tactics to avoid detection.
  • The new campaign carried out by TA505 relied on native Windows OS processes as well as used a variety of deception techniques.

TA505 group, which was earlier known for Dridex malware and Locky ransomware campaigns, has now been observed to deploy different techniques. A recent campaign detailed by researchers at Cybereason indicates that the threat actor group used a combination of phishing attacks and advanced tools to target computer networks of a financial institution. In order to remain undetected, the group also used the ServHelper backdoor in infected systems.

The big picture

  • Cybereason’s researchers found that the latest campaign by TA505 group targeted specific accounts in the company for phishing.
  • The group used multiple C2 domains in the campaign to steer away from blacklisting and other issues that hindered their communications. In addition, these domains helped the group maintain at least one C2 server to attack from.
  • The ServHelper backdoor used in the campaign relied on four LOLBins and some native Windows OS processes to further its malicious activities.
  • In addition, ServHelper had a signed and verified certification from Sectigo RSA Code Signing CA to evade detection.

Reconnaissance and other activities

The researchers discovered that the ServHelper malware collected information as well as conducted reconnaissance in the infected systems.

“After the execution of rundll32.exe (Windows OS process), the PowerShell script enu.ps1 is executed. This script is encoded with Base64 in order to avoid detection by antivirus products. Upon decoding the script, it is clear that the script is responsible for gathering reconnaissance on the target machine. This includes collecting information with WMI queries to identify if the user is an administrator,” Cybereason reported.

Other capabilities include a persistence mechanism followed by ServHelper as well as another internal reconnaissance process.

loader gif