ServHelper

ServHelper is a malicious software (malware) first introduced by TA505, a notorious cybercriminal group, in November 2018. It was initially observed in a relatively small email campaign on November 9, 2018, where thousands of messages were used to distribute this new malware family. The campaign utilized the "tunnel" variant of ServHelper, which primarily focuses on remote desktop functions. The infection was associated with certain file names, leading to the malware's name, "ServHelper". This backdoor malware allows unauthorized access and control over affected systems, potentially leading to theft of sensitive information or disruption of operations. Subsequently, TA505 launched another campaign on November 15, 2018, featuring a different variant of ServHelper, known as the "downloader". This version of the malware primarily serves to download and install additional malicious software onto the infected system. Furthermore, various malicious SSL Certificates linked to ServHelper's Command and Control (C&C) servers were observed, indicating the malware's ongoing communication with its operators for further instructions or data exfiltration. By December 13, 2018, TA505 had initiated the "FlawedGrace" campaign, once again utilizing ServHelper. Alongside this, the group also began distributing a new downloader malware named AndroMut. Throughout these campaigns, several commands such as "loaddll" and "sethijack" were identified, suggesting the sophisticated capabilities of ServHelper's C&C infrastructure. These developments highlight the evolving threat landscape and underscore the need for robust cybersecurity measures to counter such advanced threats.