ServHelper

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
ServHelper is a malicious software (malware) first introduced by TA505, a notorious cybercriminal group, in November 2018. It was initially observed in a relatively small email campaign on November 9, 2018, where thousands of messages were used to distribute this new malware family. The campaign utilized the "tunnel" variant of ServHelper, which primarily focuses on remote desktop functions. The infection was associated with certain file names, leading to the malware's name, "ServHelper". This backdoor malware allows unauthorized access and control over affected systems, potentially leading to theft of sensitive information or disruption of operations. Subsequently, TA505 launched another campaign on November 15, 2018, featuring a different variant of ServHelper, known as the "downloader". This version of the malware primarily serves to download and install additional malicious software onto the infected system. Furthermore, various malicious SSL Certificates linked to ServHelper's Command and Control (C&C) servers were observed, indicating the malware's ongoing communication with its operators for further instructions or data exfiltration. By December 13, 2018, TA505 had initiated the "FlawedGrace" campaign, once again utilizing ServHelper. Alongside this, the group also began distributing a new downloader malware named AndroMut. Throughout these campaigns, several commands such as "loaddll" and "sethijack" were identified, suggesting the sophisticated capabilities of ServHelper's C&C infrastructure. These developments highlight the evolving threat landscape and underscore the need for robust cybersecurity measures to counter such advanced threats.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Downloader
Backdoor
Trojan
Rat
Loader
Windows
Malware
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
FlawedGraceUnspecified
1
FlawedGrace is a notorious malware, a remote access trojan (RAT), that has been used extensively in cyberattacks. It was first brought to light in June 2023 when The DFIR Report revealed its use in Truebot operations. In these operations, following the successful download of a malicious file, Truebo
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
TA505Unspecified
1
TA505, also known as Cl0p Ransomware Gang and Lace Tempest, is a highly active and sophisticated cybercriminal group. The group has been associated with various high-profile cyber-attacks, demonstrating adaptability through a multi-vector approach to their operations. In June 2023, the U.S. Cybersec
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the ServHelper Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
ServHelper and FlawedGrace - New malware introduced by TA505 | Proofpoint
MITRE
a year ago
TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader | Proofpoint US