A newly discovered cyberattack panel dubbed TeslaGun has been discovered, used by Evil Corp to run ServHelper backdoor campaigns.
Data gleaned from an analysis by the Prodraft Threat Intelligence (PTI) team shows the Evil Corp ransomware gang (aka TA505 or UNC2165, along with half a dozen other colorful tracking names) has used TeslaGun to carry out mass phishing campaigns and targeted campaigns against more than 8,000 different organizations and individuals. The majority of targets have been in the US, which accounted for more than 3,600 of the victims, with a scattered international distribution outside of that.
There has been a continued expansion of the ServHelper backdoor malware, a long-running and constantly updated package that’s been kicking around since at least 2019. It began picking up steam once again in the second half of 2021, according to a report from Cisco Talos, spurred by mechanisms like fake installers and associated installer malware like Raccoon and Amadey.
Most recently, threat intelligence from Trellix last month reported that the ServHelper backdoor has recently been found dropping hidden cryptominers on systems.
The PTI report, issued Tuesday, delves into the technical specifics behind TeslaGun, and offers some details and tips that can help enterprises move forward with important countermeasures to some of the prevailing backdoor cyberattack trends today.
Backdoor attacks that circumvent authentication mechanisms and quietly establish persistence on enterprise systems are some of the most disconcerting for cybersecurity defenders. That’s because these attacks are notoriously difficult to detect or prevent with standard security controls.
Backdoor Attackers Diversify Their Attack Assets
PTI researchers said they observed a wide range of different victim profiles and campaigns during their investigations, supporting previous research that showed ServHelper attacks are trawling for victims in a variety of simultaneous campaigns. This is a trademark attack pattern of casting a wide net for opportunistic hits.
“A single instance of the TeslaGun control panel contains multiple campaign records representing different delivery methods and attack data,” the report explained. “Newer versions of the malware encode these different campaigns as campaign IDs.”
But Cyberattackers Will Actively Profile Victims
At the same time, TeslaGun contains plenty of evidence that attackers are profiling victims, taking copious notes at some points, and conducting targeted backdoor attacks.
“The PTI team observed that the main dashboard of the TeslaGun panel includes comments attached to victim records. These records show victim device data such as CPU, GPU, RAM size and internet connection speed,” the report said, explaining this indicates targeting for cryptomining opportunities. “On the other hand, according to victim comments, it is clear that TA505 is actively looking for online banking or retail users, including crypto-wallets and e-commerce accounts.”
The report said that most victims appear to operate in the financial sector but that this targeting is not exclusive.
Resale Is an Important Part of Backdoor Monetization
The way that the control panel’s user options are set up offered researchers a lot of information about the group’s “workflow and commercial strategy,” the report said. For example, some filtering options were labeled “Sell” and “Sell 2” with victims in these groups having remote desktop protocols (RDP) temporarily disabled through the panel.
“This probably means that TA505 can not immediately earn a profit from exploiting those particular victims,” according to the report. “Instead of letting them go, the group has tagged those victim’s RDP connections for the resale to other cybercriminals.”
The PTI report said that based on the researchers’ observations, the group’s internal structure was “surprisingly disorganized” but that its members still “carefully monitor their victims and can demonstrate remarkable patience, especially with high-value victims in the finance sector.”
The analysis further notes that the strength of the group is its agility, which makes it hard to predict activity and detect over time.
Nevertheless, the backdoor attackers aren’t perfect, and this can offer some clues for cybersecurity pros looking to thwart their efforts.
“The group does exhibit some telltale weaknesses, however. While TA505 can maintain hidden connections on victims’ devices for months, its members are often unusually noisy,” the report said. “After installing ServHelper, TA505 threat actors may manually connect to victim devices through RDP tunneling. Security technologies capable of detecting these tunnels may prove vital for catching and mitigating TA505’s backdoor attacks.”
The Russian-linked (and sanctioned) Evil Corp has been one of the most prolific groups of the last five years. According to the US government, the group is the brain trust behind the financial Trojan Dridex and has associations with campaigns using ransomware variants like WastedLocker. It continues to hone a raft of weapons for its arsenal as well; last week, it came to light that it’s associated with Raspberry Robin infections.
PTI uses TA505 to track the threat, and consensus is solid but not universal that TA505 and Evil Corp are the same group. A report last month from the Health Sector Cybersecurity Coordination Center (HC3) said it “does not currently support that conclusion.”