{ "id": "f455981c-4887-419b-8144-9a99bbc3deb4", "created_at": "2026-04-06T01:30:55.79661Z", "updated_at": "2026-04-10T03:36:37.033803Z", "deleted_at": null, "sha1_hash": "b1df62db34fd2edb7af04d1d339f86c745a6ea48", "title": "Operation TA505: investigating the ServHelper backdoor with NetSupport RAT. Part 2", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1677278, "plain_text": "Operation TA505: investigating the ServHelper backdoor with\r\nNetSupport RAT. Part 2\r\nBy Positive Technologies\r\nPublished: 2024-08-19 · Archived: 2026-04-06 00:46:08 UTC\r\nAt the end of July 2019, we encountered an interesting piece of malware distributed by the TA505 group, and on\r\nJuly 22, 2019 uploaded it into ANY.RUN to put it through a dynamic analysis. Viewing the results, two anomalies\r\nattracted our attention—in addition to the tags usually displayed for TA505 ServHelper, the \"netsupport\" tag also\r\nappeared; additionally, the NetSupport RAT was listed among network signature events.\r\nMalware download date and tags displayed in the ANY.RUN online analyzer\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part2/\r\nPage 1 of 11\n\nNetSupport RAT network signature event in the ANY.RUN sandbox\r\nThis might seem strange at first glance, since the ServHelper backdoor already provides attackers with a\r\nsignificant amount of control over their victims' computers. To get a better understanding of what's going on, let's\r\ntake a closer look at how the malware functions.\r\nNSIS and PowerShell droppers\r\nThe executable PE file that begins our analysis is an installer on the Nullsoft Scriptable Install System (NSIS)\r\nplatform. This NSIS script, which is responsible for installation, extracts and runs a nested PowerShell script:\r\nNSIS script instructions\r\nThe PowerShell script that is run contains a Base64-encoded buffer (truncated in the image below for clarity),\r\nwhich, after decoding, is decrypted by the Triple DES (3DES) algorithm in CBC mode:\r\nData decryption in the PowerShell script\r\nThe first segment of the script defines a function called heller, which raises system privileges and allows UAC\r\ndefenses to be bypassed. Two techniques are implemented to this end:\r\nTechnique 1 — using the SilentCleanup task in the Task Scheduler:\r\nSilentCleanup can be launched by the user, in which case it runs with elevated privileges. The path to the\r\nexecutable file is specified in its properties using the %windir% environment variable, the value of which\r\ncan be reset—to trigger the launch of a PowerShell script, for instance. In this case, running the task will\r\ncause the PowerShell script to launch with admin privileges, bypassing the UAC.\r\nThis technique is used by hackers to target Windows 8 and Windows 10 systems.\r\nThe code behind this technique is identical to the module implementation for the Metasploit framework.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part2/\r\nPage 2 of 11\n\nScript containing the SilentCleanup workaround\r\nTechnique 2 — using the sysprep.exe system utility and DLL side-loading:\r\nFirst, a helper script is created to relaunch the PowerShell script in the directory C:\\Windows\\Temp. Then a\r\nCAB archive is created containing an auxiliary DLL, CRYPTBASE.dll (the PowerShell script contains\r\nboth x86 and x64 versions of the library). This archive is then unpacked into the folder\r\nC:\\Windows\\System32\\Sysprep using the wusa.exe system utility. Next, the sysprep.exe system utility\r\nlaunches, loading the DLL which was previously unpacked, and the DLL proceeds to execute a helper\r\nscript. The outcome is that the PowerShell script will be relaunched with administrator privileges,\r\nbypassing the UAC.\r\nHackers use this technique to target Windows 7 systems.\r\n• You can read a detailed description of this technique here, and find samples of its implementation in this\r\nproject on Github.\r\nScript containing the sysprep.exe utility workaround\r\nThe script contains a large number of comments, an unused Test-Administrator function, and uninitialized\r\nvariables. This indicates that the code was copied directly without concern for conciseness.\r\nOnce the script has been run with the necessary privileges, the second segment is executed. At this stage, the target\r\npayloads are decoded:\r\nThe string is decoded from Base64.\r\nThe data is decompressed using Deflate.\r\nThe string is re-decoded from Base64.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part2/\r\nPage 3 of 11\n\nAlgorithm for decoding the payload\r\nAs a result, the following files will be created in the system:\r\n%systemroot%\\help\\hlp11.dat — a x86/x64 version of the RDP Wrapper Library. This is used to expand\r\nthe functionality of the RDP service, including the allowance of multiple simultaneous connections. It is\r\nimportant to note that the library is modified: after being launched, linear XOR quickly decodes the string\r\nc:\\windows\\help\\hlp12.dat, then downloads the DLL via the resulting path:\r\nDecryption of the DLL path and DLL download\r\n%systemroot%\\help\\hlp12.dat—a x86/x64 version of the ServHelper backdoor. Discussed in the next\r\nsection.\r\n%systemroot%\\help\\hlp13.dat—a configuration file for the RDP Wrapper Library.\r\n%systemroot%\\system32\\rdpclip.exe—an RDP component allowing the exchange of clipboard data.\r\n%systemroot%\\system32\\rfxvmt.dll—an RDP component for data transfer using RemoteFX.\r\nOnce the payload bas been extracted and written, the script configures its components:\r\nThe owner of the rfxvmt.dll component is changed to NT SERVICE\\TrustedInstaller and the new owner is\r\ngranted permissions.\r\nThe port value for RDP connections is changed from 3389 (the standard value) down to 720.\r\nA network services account is added as a local administrator.\r\nhlp11.dat is registered as an RDP service and the RDP is rebooted.\r\nAll temporary files that were created are deleted.\r\nServHelper RAT → Dropper\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part2/\r\nPage 4 of 11\n\nOne result of the droppers is a DLL called hlp12.dat, which is a malware ServHelper. Both x86 and x64 versions\r\ncan be created, depending on the OS bit depth (there are no fundamental differences between the two). Both are\r\nwritten in Delphi; one is packaged in UPX 3.95 (x64) and the other in PeCompact 2.20 (x86). The distribution and\r\noperation of this backdoor have already been analyzed by researchers at Proofpoint and Trend Micro. Our\r\nparticular case does not differ significantly in its capabilities from previously investigated instances. In particular,\r\nit is worth noting that the algorithm for decrypting the strings has not changed (a Vigenère cipher is used):\r\nPseudocode for string decoding using a Vigenère cipher\r\nInterestingly, not all strings are encrypted. For instance, domains and web links are left in their unencrypted\r\nformat:\r\nUnencrypted domains and web links\r\nFollowing one of these links (hxxp://letitbe.icu/2.txt) triggers the download of an encrypted file (MD5:\r\n0528104f496dd13438dd764e747d0778). It is worth nothing that the byte value 0x09 is repeated frequently at the\r\nend of this file:\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part2/\r\nPage 5 of 11\n\nRepetitions of the byte 0x09 in the downloaded file\r\nDuplicate bytes are frequently a sign of encryption using a single-byte XOR. In this case, the code confirms this\r\nhypothesis:\r\nFunction for single-byte XOR encryption\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part2/\r\nPage 6 of 11\n\nA single-byte value is passed to the XOR function as an argument\r\nAfter decryption we get a ZIP archive with the following contents:\r\nContents of the decrypted ZIP archive\r\nAll these files are legitimate software for PC remote control using NetSupport Manager — a product which has\r\nbeen repeatedly exploited by hackers.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part2/\r\nPage 7 of 11\n\nNetSupport Manager description\r\nOne of the files (client32.ini) is a configuration file specifying the address of the intermediary gateway through\r\nwhich the victim's PC connects with attackers:\r\nThe attacker's address in the form of a NetSupport Manager gateway\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part2/\r\nPage 8 of 11\n\nThis option makes sense if the victim is behind a firewall and their internet access is restricted by ports. At least\r\ntwo ports—80 (HTTP) and 443 (HTTPS)—must be accessible for the internet to work properly. Thus, this\r\ntechnique increases the chance of a successful connection.\r\nIn September 2019 we found several more, similar instances of ServHelper, albeit with significantly limited\r\ncapabilities. For instance, take this case (MD5: 5b79a0c06aec6126364ce1d5cbfedf66), in which a similar pattern\r\nof repeating bytes was found among the encrypted data of an executable PE file:\r\nEncrypted data from ServHelper\r\nOnce again, we have a ZIP archive that has been XOR-encrypted using a single byte. It contains the same\r\nNetSupport Manager components as in our previous example, albeit with a different intermediary gateway:\r\n179[.]43.146.90:443.\r\nConclusions\r\nThis article has examined how the TA505 group utilizes ServHelper to distribute and implement backdoor\r\nmalware. The main component of the malware is proceeded by interesting features—UAC is bypassed and\r\nprivileges are raised. However, even more interestingly, the malware's main backdoor contains compelling\r\nvariations. Its basic functionality (data theft, spying, and execution of commands) is supplemented with another\r\ntool that is embedded for remote management of the victim's PC—namely, NetSupport RAT. What is more, newer\r\nversions of ServHelper no longer contain all the key features of a full-fledged backdoor. Rather, they serve the\r\nrestricted roll of an intermediary dropper with the sole aim of installing NetSupport RAT. It is likely that the\r\nattackers find this approach more efficient to develop and more difficult to detect. This is not the last of the\r\ngroup's tools and techniques to provide fodder for our investigation. The next installment will be forthcoming.\r\nAuthor: Alexey Vishnyakov, Positive Technologies\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part2/\r\nPage 9 of 11\n\nIOCs\r\nhxxp://185.225.17.175/wrkn157.exe — link with which NSIS dropper was downloaded\r\nd2a062ca772fa3ace7c7edadbd95eaf7 — NSIS dropper\r\n0cacea3329f35e88a4f9619190e3746f — PowerShell dropper shipkat.ps1\r\nfb609b00e29689db74c853ca7d69f440 — CRYPTBASE.dll (x86)\r\n843288a35906aa90b2d1cc6179588a26 — CRYPTBASE.dll (x64)\r\n445cd6df302610bb640baf2d06438704 — hlp11.dat (x86)\r\n083f66cc0e0f626bbcc36c7f143561bd — hlp11.dat (x64)\r\n40bae264ea08b0fa115829c5d74bf3c1 — hlp12.dat (x86)\r\nac72ab230608f2dca1da1140e70c92ad — hlp12.dat (x64)\r\n07f1dc2a9af208e88cb8d5140b54e35e — hlp13.dat\r\n1690e3004f712c75a2c9ff6bcde49461 — rdpclip.exe\r\ndc39d23e4c0e681fad7a3e1342a2843c — rfxvmt.dll\r\nServHelper C2:\r\n179[.]43.156.32\r\n185[.]163.45.124\r\n185[.]163.45.175\r\n185[.]225.17.150\r\n185[.]225.17.169\r\n185[.]225.17.175\r\n185[.]225.17.98\r\n195[.]123.221.66\r\n195[.]123.246.192\r\n37[.]252.8.63\r\n94[.]158.245.123\r\n94[.]158.245.154\r\n94[.]158.245.232\r\nfdguyt5ggs[.]pw\r\nfoxlnklnk[.]xyz\r\ngidjshrvz[.]xyz\r\nletitbe[.]icu\r\npofasfafha[.]xyz\r\n0528104f496dd13438dd764e747d0778 — encrypted ZIP archive with NetSupport RAT\r\nNetSupport Manager components:\r\n953896600dfb86750506706f1599d415 — cksini.exe\r\n8d9709ff7d9c83bd376e01912c734f0a — client32.exe\r\n2d3b207c8a48148296156e5725426c7f — HTCTL32.DLL\r\n0e37fbfa79d349d672456923ec5fbbe3 — msvcr100.dll\r\n26e28c01461f7e65c402bdf09923d435 — nskbfltr.inf\r\n88b1dab8f4fd1ae879685995c90bd902 — NSM.ini\r\n7067af414215ee4c50bfcd3ea43c84f0 — NSM.LIC\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part2/\r\nPage 10 of 11\n\ndcde2248d19c778a41aa165866dd52d0 — pcicapi.dll\r\na0b9388c5f18e27266a31f8c5765b263 — PCICHEK.DLL\r\n00587238d16012152c2e951a087f2cc9 — PCICL32.DLL\r\n2a77875b08d4d2bb7b654db33a88f16c — remcmdstub.exe\r\neab603d12705752e3d268d86dff74ed4 — TCCTL32.DLL\r\n185[.]225.17.66:443 — NetSupport RAT GatewayAddress\r\n5b79a0c06aec6126364ce1d5cbfedf66 — ServHelper with NetSupport RAT archive\r\n179[.]43.146.90:443 — NetSupport RAT GatewayAddress\r\nSource: https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part2/\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part2/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part2/" ], "report_names": [ "operation-ta505-part2" ], "threat_actors": [ { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439055, "ts_updated_at": 1775792197, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b1df62db34fd2edb7af04d1d339f86c745a6ea48.pdf", "text": "https://archive.orkl.eu/b1df62db34fd2edb7af04d1d339f86c745a6ea48.txt", "img": "https://archive.orkl.eu/b1df62db34fd2edb7af04d1d339f86c745a6ea48.jpg" } }