Group TA505 has been active for at least seven years, making wide-ranging connections with other threat actors involved in ransomware, stealing credit card numbers and exfiltrating data. One of the common tools in TA505’s arsenal is ServHelper. In mid-June, Cisco Talos detected an increase in ServHelper’s activity. We investigated the activity and discovered a set of intertwined malware families and TTPs.
We found that ServHelper is being installed onto the targeted systems using several different mechanisms, ranging from fake installers for popular software to using other malware families such as Raccoon and Amadey as the installation proxies.