At the end of July 2019, we encountered an interesting piece of malware distributed by the TA505 group, and on July 22, 2019 uploaded it into ANY.RUN to put it through a dynamic analysis. Viewing the results, two anomalies attracted our attention—in addition to the tags usually displayed for TA505 ServHelper, the "netsupport" tag also appeared; additionally, the NetSupport RAT was listed among network signature events.

This might seem strange at first glance, since the ServHelper backdoor already provides attackers with a significant amount of control over their victims' computers. To get a better understanding of what's going on, let's take a closer look at how the malware functions.

NSIS and PowerShell droppers

The executable PE file that begins our analysis is an installer on the Nullsoft Scriptable Install System (NSIS) platform. This NSIS script, which is responsible for installation, extracts and runs a nested PowerShell script:

The PowerShell script that is run contains a Base64-encoded buffer (truncated in the image below for clarity), which, after decoding, is decrypted by the Triple DES (3DES) algorithm in CBC mode:

The first segment of the script defines a function called heller, which raises system privileges and allows UAC defenses to be bypassed. Two techniques are implemented to this end:

Technique 1 — using the SilentCleanup task in the Task Scheduler:

• SilentCleanup can be launched by the user, in which case it runs with elevated privileges. The path to the executable file is specified in its properties using the %windir% environment variable, the value of which can be reset—to trigger the launch of a PowerShell script, for instance. In this case, running the task will cause the PowerShell script to launch with admin privileges, bypassing the UAC.
• This technique is used by hackers to target Windows 8 and Windows 10 systems.
• The code behind this technique is identical to the module implementation for the Metasploit framework.

Technique 2 — using the sysprep.exe system utility and DLL side-loading:

• First, a helper script is created to relaunch the PowerShell script in the directory C:\Windows\Temp. Then a CAB archive is created containing an auxiliary DLL, CRYPTBASE.dll (the PowerShell script contains both x86 and x64 versions of the library). This archive is then unpacked into the folder C:\Windows\System32\Sysprep using the wusa.exe system utility. Next, the sysprep.exe system utility launches, loading the DLL which was previously unpacked, and the DLL proceeds to execute a helper script. The outcome is that the PowerShell script will be relaunched with administrator privileges, bypassing the UAC.
• Hackers use this technique to target Windows 7 systems.
• • You can read a detailed description of this technique here, and find samples of its implementation in this project on Github.

The script contains a large number of comments, an unused Test-Administrator function, and uninitialized variables. This indicates that the code was copied directly without concern for conciseness.

Once the script has been run with the necessary privileges, the second segment is executed. At this stage, the target payloads are decoded:

• The string is decoded from Base64.
• The data is decompressed using Deflate.
• The string is re-decoded from Base64.

As a result, the following files will be created in the system:

• %systemroot%\help\hlp11.dat — a x86/x64 version of the RDP Wrapper Library. This is used to expand the functionality of the RDP service, including the allowance of multiple simultaneous connections. It is important to note that the library is modified: after being launched, linear XOR quickly decodes the string c:\windows\help\hlp12.dat, then downloads the DLL via the resulting path:

• %systemroot%\help\hlp12.dat—a x86/x64 version of the ServHelper backdoor. Discussed in the next section.
• %systemroot%\help\hlp13.dat—a configuration file for the RDP Wrapper Library.
• %systemroot%\system32\rdpclip.exe—an RDP component allowing the exchange of clipboard data.
• %systemroot%\system32\rfxvmt.dll—an RDP component for data transfer using RemoteFX.

Once the payload bas been extracted and written, the script configures its components:

• The owner of the rfxvmt.dll component is changed to NT SERVICE\TrustedInstaller and the new owner is granted permissions.
• The port value for RDP connections is changed from 3389 (the standard value) down to 720.
• A network services account is added as a local administrator.
• hlp11.dat is registered as an RDP service and the RDP is rebooted.
• All temporary files that were created are deleted.

ServHelper RAT → Dropper

One result of the droppers is a DLL called hlp12.dat, which is a malware ServHelper. Both x86 and x64 versions can be created, depending on the OS bit depth (there are no fundamental differences between the two). Both are written in Delphi; one is packaged in UPX 3.95 (x64) and the other in PeCompact 2.20 (x86). The distribution and operation of this backdoor have already been analyzed by researchers at Proofpoint and Trend Micro. Our particular case does not differ significantly in its capabilities from previously investigated instances. In particular, it is worth noting that the algorithm for decrypting the strings has not changed (a Vigenère cipher is used):

Interestingly, not all strings are encrypted. For instance, domains and web links are left in their unencrypted format:

Following one of these links (hxxp://letitbe.icu/2.txt) triggers the download of an encrypted file (MD5: 0528104f496dd13438dd764e747d0778). It is worth nothing that the byte value 0x09 is repeated frequently at the end of this file:

Duplicate bytes are frequently a sign of encryption using a single-byte XOR. In this case, the code confirms this hypothesis:

After decryption we get a ZIP archive with the following contents:

All these files are legitimate software for PC remote control using NetSupport Manager — a product which has been repeatedly exploited by hackers.

One of the files (client32.ini) is a configuration file specifying the address of the intermediary gateway through which the victim's PC connects with attackers:

This option makes sense if the victim is behind a firewall and their internet access is restricted by ports. At least two ports—80 (HTTP) and 443 (HTTPS)—must be accessible for the internet to work properly. Thus, this technique increases the chance of a successful connection.

In September 2019 we found several more, similar instances of ServHelper, albeit with significantly limited capabilities. For instance, take this case (MD5: 5b79a0c06aec6126364ce1d5cbfedf66), in which a similar pattern of repeating bytes was found among the encrypted data of an executable PE file:

Once again, we have a ZIP archive that has been XOR-encrypted using a single byte. It contains the same NetSupport Manager components as in our previous example, albeit with a different intermediary gateway: 179[.]43.146.90:443.

Conclusions

This article has examined how the TA505 group utilizes ServHelper to distribute and implement backdoor malware. The main component of the malware is proceeded by interesting features—UAC is bypassed and privileges are raised. However, even more interestingly, the malware's main backdoor contains compelling variations. Its basic functionality (data theft, spying, and execution of commands) is supplemented with another tool that is embedded for remote management of the victim's PC—namely, NetSupport RAT. What is more, newer versions of ServHelper no longer contain all the key features of a full-fledged backdoor. Rather, they serve the restricted roll of an intermediary dropper with the sole aim of installing NetSupport RAT. It is likely that the attackers find this approach more efficient to develop and more difficult to detect. This is not the last of the group's tools and techniques to provide fodder for our investigation. The next installment will be forthcoming.

Author: Alexey Vishnyakov, Positive Technologies

IOCs

hxxp://185.225.17.175/wrkn157.exe — link with which NSIS dropper was downloaded
d2a062ca772fa3ace7c7edadbd95eaf7 — NSIS dropper
0cacea3329f35e88a4f9619190e3746f — PowerShell dropper shipkat.ps1
fb609b00e29689db74c853ca7d69f440 — CRYPTBASE.dll (x86)
843288a35906aa90b2d1cc6179588a26 — CRYPTBASE.dll (x64)
445cd6df302610bb640baf2d06438704 — hlp11.dat (x86)
083f66cc0e0f626bbcc36c7f143561bd — hlp11.dat (x64)
40bae264ea08b0fa115829c5d74bf3c1 — hlp12.dat (x86)
ac72ab230608f2dca1da1140e70c92ad — hlp12.dat (x64)
07f1dc2a9af208e88cb8d5140b54e35e — hlp13.dat
1690e3004f712c75a2c9ff6bcde49461 — rdpclip.exe
dc39d23e4c0e681fad7a3e1342a2843c — rfxvmt.dll
ServHelper C2:
179[.]43.156.32
185[.]163.45.124
185[.]163.45.175
185[.]225.17.150
185[.]225.17.169
185[.]225.17.175
185[.]225.17.98
195[.]123.221.66
195[.]123.246.192
37[.]252.8.63
94[.]158.245.123
94[.]158.245.154
94[.]158.245.232
fdguyt5ggs[.]pw
foxlnklnk[.]xyz
gidjshrvz[.]xyz
letitbe[.]icu
pofasfafha[.]xyz
0528104f496dd13438dd764e747d0778 — encrypted ZIP archive with NetSupport RAT
NetSupport Manager components:
953896600dfb86750506706f1599d415 — cksini.exe
8d9709ff7d9c83bd376e01912c734f0a — client32.exe
2d3b207c8a48148296156e5725426c7f — HTCTL32.DLL
0e37fbfa79d349d672456923ec5fbbe3 — msvcr100.dll
26e28c01461f7e65c402bdf09923d435 — nskbfltr.inf
88b1dab8f4fd1ae879685995c90bd902 — NSM.ini
7067af414215ee4c50bfcd3ea43c84f0 — NSM.LIC
dcde2248d19c778a41aa165866dd52d0 — pcicapi.dll
a0b9388c5f18e27266a31f8c5765b263 — PCICHEK.DLL
00587238d16012152c2e951a087f2cc9 — PCICL32.DLL
2a77875b08d4d2bb7b654db33a88f16c — remcmdstub.exe
eab603d12705752e3d268d86dff74ed4 — TCCTL32.DLL
185[.]225.17.66:443 — NetSupport RAT GatewayAddress
5b79a0c06aec6126364ce1d5cbfedf66 — ServHelper with NetSupport RAT archive
179[.]43.146.90:443 — NetSupport RAT GatewayAddress