{ "id": "26db01d5-1a35-496b-8ef1-8f4d983204e6", "created_at": "2026-04-06T00:08:44.497558Z", "updated_at": "2026-04-10T03:36:37.000801Z", "deleted_at": null, "sha1_hash": "ca5d089e679cc9617e4cb7464637c659b95d5fb9", "title": "New ServHelper Variant Employs Excel 4.0 Macro to drop Singed Payload", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 241296, "plain_text": "New ServHelper Variant Employs Excel 4.0 Macro to drop Singed\r\nPayload\r\nBy Shaul Vilkomir-PreismanThreat Intelligence Researcher\r\nPublished: 2019-04-02 · Archived: 2026-04-05 17:27:05 UTC\r\nServHelper is a recently discovered backdoor associated with TA505. A veteran threat group that has also been associated\r\nwith the infamous Dridex banking malware, the GlobeIimposter ransomware, and other high-profile malware campaigns.\r\nDeep Instinct Threat Research unit has recently discovered a new variant of ServHelper that employes an Excel 4.0\r\nmacro Dropper. A legacy mechanism still supported by Microsoft Office, and an executable payload signed with a valid\r\ndigital signature.\r\nSince this vector came to light it has gained some traction, although it is still not widespread and is used by only a\r\nhandful of threat actors.\r\nAttack Flow\r\nOnce the malicious Excel sheet is opened the Excel 4.0 macro is executed and msiexec.exe is called in order to download\r\nand execute the payload.\r\n[caption id=\"attachment_4566\" align=\"aligncenter\" width=\"1092\"]\r\nExcel 4.0 macro snippet, msiexec.exe is called to download and execute the payload. (cropped from oledump.py)\r\n[/caption]\r\nServHelper’s payload, an NSIS Installer signed with a valid digital signature (further details on the certificate ahead), is\r\ndownloaded by msiexec.exe to its temporary folder (C:\\Windows\\Installer\\MSI[4-charachter-string].tmp) and executed.\r\nOnce the dropped payload is executed, it will drop a DLL file contained in the installer to \\%TEMP%\\xmlparse.dll, and\r\nuse rundll32.exe to call the DLL’s exported function “sega”.\r\n[caption id=\"attachment_4565\" align=\"aligncenter\" width=\"360\"]\r\n xmlparse.dll’s exported functions, functions 1-3 are\r\nhttps://www.deepinstinct.com/2019/04/02/new-servhelper-variant-employs-excel-4-0-macro-to-drop-signed-payload/\r\nPage 1 of 6\n\nDelphi compiler artifacts, function 4 is not currently used.[/caption]\r\nThe malware will then write a base64 encoded PowerShell script (which is contained in xmlparse.dll as a resource) to\r\n\\%TEMP%\\enu1.ps1 and execute it. The script, intended for reconnaissance purposes, checks if a machine is part of a\r\ndomain and if the user has Admin privileges or is part of the Admin Group.\r\n[caption id=\"attachment_4567\" align=\"aligncenter\" width=\"790\"]\r\nCaption: Decoded reconnaissance PowerShell script.[/caption]\r\nThis information is then reported back to ServHelper’s Command \u0026 Control server and if the user is part of a domain, the\r\nCommand \u0026 Control server will also instruct the malware to gather a list of other users in the domain.\r\n[caption id=\"attachment_4568\" align=\"aligncenter\" width=\"435\"]\r\n Command \u0026 Control server response with\r\ncommand to gather a list of users in the domain[/caption]\r\nServHelper can receive several types of commands from its Command \u0026 Control server, including:\r\nshell – execute a shell (cmd.exe) command and return its output\r\nloaddll – download a DLL file and load it using rundll32.exe\r\npersist – write an auto-run registry entry at HK_CU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ as “Intel\r\nProtect”, returns “persistence established” if successful.\r\nslp – enter sleep mode\r\nselfkill – remove the malware from the infected machine\r\nhttps://www.deepinstinct.com/2019/04/02/new-servhelper-variant-employs-excel-4-0-macro-to-drop-signed-payload/\r\nPage 2 of 6\n\n[caption id=\"attachment_4564\" align=\"aligncenter\" width=\"886\"]\r\nDiagram showing ServHelper attack flow[/caption]\r\nSigned Payload and Core\r\nBoth the NSIS Installer payload and ServHelper’s core DLL are, at the time of writing, signed using a valid signature.\r\nhttps://www.deepinstinct.com/2019/04/02/new-servhelper-variant-employs-excel-4-0-macro-to-drop-signed-payload/\r\nPage 3 of 6\n\n[caption id=\"attachment_4569\" align=\"aligncenter\" width=\"423\"]\r\n ServHelper signed using a valid\r\nsignature[/caption]\r\nThe certificate used to sign the malware was issued to “MASLAK LTD” of Uxbridge, Great Britain.\r\nWhile this appears to be a legitimately registered company, further investigation is required to determine the validity of\r\nthe certificates or whether they have been compromised and the possibility of MASLAK being a shell company.\r\nOur analysis of “MASLAK LTD” certificates reveals another certificate issued by them that was previously used to\r\ndigitally sign malware, although it has since been revoked (certificate details are provided in the IOCs section).\r\nConclusion\r\nTA505 is a highly advanced global threat actor. It employs a vast array of sophisticated, constantly developed malware\r\nfor different purposes, for which it exploits the most recently discovered and publicized weak points.\r\nThis, factually, pays off for TA505. The evasive and legitimatizing factors described above, whereby a dropper employs a\r\nlesser known and poorly detected old-school technique combined with a validly signed payload and malware core, all\r\ncontribute to its evasiveness. When this variant first appeared on VirusTotal it was almost completely undetected. Below\r\nare links to each component’s initial detections at time of upload:\r\nDropper\r\nhttps://www.virustotal.com/gui/file/63522e00181e6b8d9ae8bfd51f7df8f8ebd0f42323e22047269df9c7a71c9b6d/detection/f-https://www.deepinstinct.com/2019/04/02/new-servhelper-variant-employs-excel-4-0-macro-to-drop-signed-payload/\r\nPage 4 of 6\n\n63522e00181e6b8d9ae8bfd51f7df8f8ebd0f42323e22047269df9c7a71c9b6d-1553181861\r\nNSIS Payload\r\nhttps://www.virustotal.com/gui/file/e0323064f2561ae02f9efae418aeaf433b3fe0e6e3a640a9c46ec404d4563de1/detection/f-e0323064f2561ae02f9efae418aeaf433b3fe0e6e3a640a9c46ec404d4563de1-1553164241\r\nDLL Core\r\nhttps://www.virustotal.com/gui/file/bee3b2710f7e874ce05e6b8b45cc20e021b9c00ee337238598e71e7315128333/detection/f-bee3b2710f7e874ce05e6b8b45cc20e021b9c00ee337238598e71e7315128333-1553164241\r\nDeep Instinct Threat Research contacted DigiCert (who operate Thawte CA), and was notified that an investigation into\r\nthe malicious certificate has been initiated.\r\nDeep Instinct’s customers are fully protected against ServHelper’s activity based on D-Brain – Deep Instinct’s Deep\r\nLearning security solution.\r\nUpdate (4/4/19):\r\nFollowing conclusion of our initial analysis of the described ServHelper variant, Deep Instinct has noticed an uptick in\r\nServHelper’s activity, with new droppers and infection URLs appearing in the wild, a new mildly modified payload and\r\ncore signed with the same certificate, and an additional Command \u0026 Control domain (new indicators have been updated\r\nin IOC section).\r\nDeep Instinct has been notified by DigiCert that following Deep Instinct’s report, the certificate used in this ServHelper\r\ncampaign has been revoked.\r\nIOCs:\r\nExcel 4.0 macro Dropper\r\n63522e00181e6b8d9ae8bfd51f7df8f8ebd0f42323e22047269df9c7a71c9b6d\r\nNSIS Payloads\r\ne0323064f2561ae02f9efae418aeaf433b3fe0e6e3a640a9c46ec404d4563de1\r\n302aa690ae61d36769ecdaa3d23ac8fb167e80aed2fe5dbc8938f7b75c655a01\r\nServHelper core DLL\r\nbee3b2710f7e874ce05e6b8b45cc20e021b9c00ee337238598e71e7315128333\r\n2f827084ecc300aea0c84cba8872c9a34e6afce56eea454d74f4dd3144301a2d\r\nEncoded reconnaissance PowerShell script\r\nda7465f14cd8a934668f59974e8836e02a9b1ff948bfe964040b840ab61697dc\r\n“MASLAK LTD” Certificates:\r\nValid\r\nThumbprint (SHA1): 557B9ADADAEF142B7C38AE04F6C1A9FC8E4251C1\r\nhttps://www.deepinstinct.com/2019/04/02/new-servhelper-variant-employs-excel-4-0-macro-to-drop-signed-payload/\r\nPage 5 of 6\n\nSerial Number: 68DE1F7207D5EDD81E4B62093139340A\r\nRevoked\r\nThumbprint (SHA1): B4CDC78A2FCBE0A70A120D7449F956C7B7507E97\r\nSerial Number: 3803B0D45F38CEA186D588606C34B63A\r\nPayload URLs:\r\nhxxp://169.239.128[.]104/alg\r\nhxxp://45.63.101[.]210/appservice\r\nhxxp://151.236.23[.]56/appservice\r\nServHelper Command \u0026 Control:\r\nhxxp://cdnavupdate[.]icu/jquery/jquery.php\r\nhxxp://afsafasdarm[.]icu/jquery/jquery.php\r\nhxxp://rff3faafefw[.]pw/jquery/jquery.php\r\nhxxp://afwer444sff[.]icu/jquery/jquery.php\r\nSource: https://www.deepinstinct.com/2019/04/02/new-servhelper-variant-employs-excel-4-0-macro-to-drop-signed-payload/\r\nhttps://www.deepinstinct.com/2019/04/02/new-servhelper-variant-employs-excel-4-0-macro-to-drop-signed-payload/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.deepinstinct.com/2019/04/02/new-servhelper-variant-employs-excel-4-0-macro-to-drop-signed-payload/" ], "report_names": [ "new-servhelper-variant-employs-excel-4-0-macro-to-drop-signed-payload" ], "threat_actors": [ { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434124, "ts_updated_at": 1775792197, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ca5d089e679cc9617e4cb7464637c659b95d5fb9.pdf", "text": "https://archive.orkl.eu/ca5d089e679cc9617e4cb7464637c659b95d5fb9.txt", "img": "https://archive.orkl.eu/ca5d089e679cc9617e4cb7464637c659b95d5fb9.jpg" } }