ServHelper – Hidden Miner Through Virtualization
First spotted in late 2018, ServHelper is a backdoor that has been used by the hacking group ‘TA505’ in targeting financial and retail sectors. Through this backdoor, the group has been able to install and deploy other malwares such as Information Stealers, such as Predator Stealer, and Remote Access Trojans (RAT) such as FlawedArmy and NetSupport. In January of 2020, members of G DATA Security Lab’s Virus-Analyst Team found a new variant of the ServHelper backdoor that is readily capable of installing a CryptoMiner bundled with it. The miner itself, LoudMiner, is a persistent cryptocurrency miner that utilizes virtualization software – QEMU on macOS and VirtualBox on Windows – in order to remain hidden on the compromised system.
This new variant of ServHelper is compiled and delivered as an NSIS installer (Nullsoft Scriptable Install System) that is typically delivered to a target system as an attachment to a spoofed email, which is crafted using typical phishing techniques in order to lure the user into opening the attachment. The attachment itself serves as a loader for the installers that will be dropped and loaded.
Upon execution, the loader will check if it is running on a virtualized environment. This is standard behavior for more recent malware to avoid being loaded into an environment that is being monitored for research purposes or as a way of deconstructing the malware. It accomplishes this by checking for the existence of a file, C:\aaa_TouchMeNot_.txt, which is a legitimate test file of Windows Defender that is present on the system if it is installed on a virtualized environment. If this file is present, the malware installation will cease.
A PowerShell script is then executed, named upgrade.ps1, which is contained on the NSIS installer’s temporary directory, $temp. This PowerShell script will then decrypt and invoke the main installer of ServHelper; this PowerShell command was encrypted with a combination of Base64 encoding and Triple DES Algorithm, which provides added security from and prevents a user from viewing the shell commands in plaintext. This technique of increasing the difficulty in manually decrypting the shell has also been seen in other PowerShell exploits such as PowerSploit. After decryption has finished, the loader will then execute a command that calls the main installer for ServHelper and the CryptoMiner it has been bundled with.
After the initial checks by the loader, it will then conduct a set of verifications that will determine if the target system can handle a full installation. It does so through the following steps:
- It checks if the running instance has Administrator Privileges
- It does so by checking the WindowsIdentity Class and look for the SID “S-1-5-32-544,” an ID that indicates if the user has Administrator Privileges.
- If the running instance of PowerShell does not have Administrator Privileges, the installer will try privilege escalation by using DLL hijacking using Fubuki from the UACME project.
- It will check if the Read-Only Memory (ROM) size is more than 2MB in SMBIOS (System Management BIOS)
- Seeing as there is no ROM in a virtualized environment when SMBIOS, this serves as another anti-virtualization technique.
If both checks are completed successfully, the PowerShell instance will install ServHelper and its components. During this installation, it will prepare its installation directory, C:\Program Files\windows mail\, by adding it on the target scan exclusion of Windows Defender using Add-MpPreference-ExclusionPath, thus enabling it to evade the scans of Windows Defender. It then prepares the payload to be dropped by decrypting it using Base64 decoding and GZip decompression and saves them to each of its designated directories.
These files and directories are:
- RPD Wrapper Library
- C:\Program Files\windows mail\appcache.xml
- ServHelper.dll
- C:\Program Files\windows mail\default_list.xml
- Config of the RDP Wrapper
- C:\Program Files\windows mail\cleanuptask.cfg
- rdpclip.exe
- C:\Windows\system32\rdpclip.exe
- Rfxvmt.dll
- C:\Windows\system32\rfxvmt.dll
Following the decryption and dropping of all its components, it will add the installed RDP Wrapper Library “appcache.xml” as TermService’s Service DLL as its main target to be executed. This modified RDP Wrapper Library will then load the ServHelper DLL. TermService is natively presented and related to RDP and allows multiple users to be connected to a machine as well as the display of desktops and applications to remote computers. This is all done in order to ensure that ServHelper is run every time the service is started and allows it to maintain persistence. If all the previous actions have been successful, then ServHelper’s Backdoor Component has been successfully installed and allows the threat actors to have backdoor access to the infected system, capable of sending commands and receiving information.
Previous versions of ServHelper will end once the service of the backdoor is installed and deployed. In this newly discovered variant, however, continues to deploy an additional attack, a CryptoMiner named ‘LoudMiner,’ the term ‘Loud’ being used due to its intensive use of an infected machine’s resources. This variant uses virtualization tools such as VirtualBox in order to do its mining. Although this technique is known to require a lot of resources, it is a particularly stealthy approach and does end up evading a lot of antivirus solutions since it is running on a virtualized layer.
As the installation of the CryptoMiner begins, it first checks if the infected system is capable of spawning a virtualized environment. If it is, the installer will then download VirtualBox from its official source and will download its other components (including two VirtualBox images to be used depending on physical memory of the infected system) from a malicious domain, hxxp://almagel[.]icu/mon[.]zip, which is known for hosting other components to ServHelper’s previous versions. It will then use ‘nssm.exe,’ Non-Sucking Service Manager, to install and run VirtualBox as a service. nssm.exe is a free utility tool that helps to manage both background and foreground services and provides the installer with a legitimate way of creating an instance of VirtualBox, allowing for another layer of stealth. Upon loading the VirtualBox image, it is configured to automatically connect to its server and run the CryptoMiner.
Analyzing the CryptoMiner used, we find that it uses XMrig Miner as its CryptoMiner, which is an open-source, CPU-based CryptoMiner that was first seen in May of 2017. Mainly used for mining the Monero Cryptocurrency, it is a suitable CryptoMiner to exploit because of its open-source nature and the fact that it utilizes CPU that should be readily available to all potential targets. At this stage, the installation of the CryptoMining component is complete and it can hide inside a virtualized environment, vastly improving its chances of evasion and stealth.
Backdoor malware poses a substantial threat to any organization and is a critical component of most persistent attacks due to its capability to carry out further damage on the infected system. When coupled with a CryptoMiner, this allows the attacker to deliver both an active and a passive means of exploitation. It enables them to gain an immediate passive benefit for each successful infection through CryptoMining, while still having the flexibility and foothold of an active control through the backdoor component. Any organization’s first line of defense against this new threat is to focus on preventing the initial downloading and execution of the malware through a robust and well-practiced anti-social engineering training program for its employees. Next, it is also vital that the organization use a reliable security solution that covers multiple layers of protection, ranging from e-mail protections, network security, and an endpoint solution that is capable of protecting the organization from this kind of threats.
Sources:
IOC’s:
- Binaries – SHA256
- C0F5375DD4530C7554212E7C8D85EBE41370BE49E1AA40D381F2E34CBF319134 (NSIS Loader; detection: Gen:Variant.Strictor.239587)
- A7ECF925427FA07C40FF335E57EE04DCB028A97B4C5A8429CC7ED101CB30B1D0 (upgrade.ps1; detection: PowerShell.Trojan.Agent.AQX)
- 26E2794167F5A4F5A1C7E708823B77FD6500290DF4DA225181D55F030B0043EB (default_list.xml/ServHelper; detection: Gen:Variant.Ursu.750288)
- 85A8867844CC43840DB2ADB62153722A994EFEECC0F066A3E0211CAD69D1AA77 (appcache.xml; detection: Gen:Variant.Ursu.750421)
- URLs
- hxxp://rotoscoping[.]xyz[:]3389
- hxxp://losos[.]cn[:]7201
- hxxp://romashka[.]cn/guga[.]txt
- hxxp://safuuf7774[.]pw/iplog/vmt[.]php?hst=vmt_installed_$env:computername
- hxxp://almagel.icu/cp.exe
- hxxp://almagel.icu/ssh.zip
- hxxp://asggh554tgahhr.pw
- hxxp://nsggh554tgahhr.pw
- hxxp://sggh554tgahhr.pw
- hxxp://dfsgu747hugr.pw
- hxxp://esggh554tgahhr.pw
- hxxp://hsggh554tgahhr.pw
- hxxp://kuarela.xyz/1.txt
- hxxps://sgahugu4ijgji.xyz/list/b.php
- hxxp://asggh554tgahhr.pw/list/b.php
- hxxp://gabardina.xyz/log.txt