An Overview of TA505’s ServHelper Malware Control Panel

The researchers detailed the software control panel used by the notorious financial threat group TA505 in order to manage its ServHelper malware.

TA505 has been targeting the financial sector since 2014 with massive phishing attacks, primarily relying on tools such as the Dridex banking trojan and Locky ransomware. Beginning in 2019, attackers began exploiting a backdoor called ServHelper to hijack victims’ accounts and deploy a number of tracking commands, including logging keystrokes and stealing sensitive data. Researchers from the Prodraft Threat Intelligence (PTI) team said additional details about the command and control structure behind ServHelper, called TeslaGun (a name that appears on top of control panels), will help security professionals to better understand how the group works and its malware distribution tactics.

“It is evident that TA505 is actively seeking online banking and shopping accounts, particularly from victims in the United States, but also from Russia, Romania, Brazil, and the United Kingdom,” according to Prodraft researchers. . in a Tuesday report. “The threat group will also attack victims outside of its primary scope, marking RDP connections for possible resale to other cybercriminals. In the end, anyone could be a victim of the TA505.

Some aspects of the panel indicate a “surprisingly disorganized” internal structure. The TeslaGun panels do not provide individual victim detail pages, for example, and instead display victim data in a series of columns. The pages are also not exclusively organized by campaign or release, making them harder to navigate, the researchers said. At the same time, however, the control panel demonstrates TA505’s sophistication in how it distributes its attacks, showing how the threat group is “very proactive” in updating its malware and has the ability to run multiple malware campaigns at the same time.

The panel, which provides attackers with a dashboard to view victim data and options to filter those records, also has features for attackers to send a command to multiple victims at once or configure a command default that runs when new victim devices are added to the panel. A detailed review of the TeslaGun panel revealed that TA505 actively searches for banking and online shopping accounts, including crypto wallets and e-commerce accounts, with the United States having the highest number of recorded victims at 3,557 out of the 8,160 targets found on the control panel (as of July 2020).

The control panel lists IP addresses and countries/states/cities for victims, along with information such as first and last login and commands for ServHelper (these commands have already been documented by Cisco Talos Researchers). The control panel also notes if victims have a slow connection, which could mean that attackers would lose the ability to communicate effectively with ServHelper. The attackers also tagged RDP connections, which researchers have already noted. However, the control panel revealed that attackers use these connections not only to interact directly with victims’ devices, but also to leverage them for possible resale to other cybercriminals. This is important because it shows how well TA505 is embedded in the international cybercrime community, the researchers said.

“The panel’s filtering options offer a lot of insight into TA505’s workflow and trading strategy,” the researchers said. “Vendre and Vendre 2 groups have been set up for certain victims. These victims’ RDP connections have been temporarily disabled through the panel.

For businesses, the researchers said proactive detection strategies “are critical to overcoming fast-evolving threats such as TA505 backdoor attack campaigns.”

“Broadly defined prevention-based security can help mitigate some of the most obvious threats, but the reality of today’s mature and organized cybercrime industry requires a new strategy,” the researchers said. . “Business leaders and cybersecurity decision makers must actively research new trends in cybercrime and implement solutions to remediate new vulnerabilities in their networks.”