Cybersecurity researchers have noticed that Evil Corp uses their custom-made software panel, TeslaGun, to establish a backdoor dubbed ServHelper. This financially motivated threat group, also known as TA505, is notorious for altering its malware for every attack.
These attackers constantly modify their strategies and adopt new technologies to keep their campaigns fresh and avoid threat analysis. They have launched massive phishing campaigns that have targeted nearly 10,000 individuals since July 2020.
The threat group is still actively targeting retail users and online banking, such as e-commerce accounts and cryptocurrency wallets. Most of its victims are in the United States, followed by Russia, Brazil, Romania, and the United Kingdom.
Analysts explained that the ServHelper backdoor creates reverse SSH tunnels that enable the threat actors’ access to the infected system via RDP once downloaded.
TA505 utilise the custom software panel TeslaGun to control the ServHelper backdoor, which works as a command-and-control framework to grab the compromised devices.
It also allows the hackers to issue a single command to infected devices or configure the software panel like a predefined instruction is quickly operated when a new victim is added to the panel.
The panel’s appearance has a minimalist design, and its main dashboard only portrays infected victim data, a comment section for victims, and options for filtering victim records.
Evil Corp operators are also known to adopt a remote desktop protocol tool to breach the infected systems via RDP tunnels aside from the panel.
Researchers have seen the ServHelper backdoor for the past three years. This malware has stood the test of time by avoiding analysis and countermeasures from experts. The success of this malware could be attributed to the everchanging features and its resistance to the organisation’s security panel.
Authorities have also released an advisory regarding the group’s potential campaigns against the health sector. Hence, the threat group could continue using different strategies to disrupt organisations significantly soon.
