An Updated ServHelper Tunnel Variant

Binary Defense researchers analyzed a new ServHelper variant deployed by TA505: a multi-stage NSIS-packed PowerShell installer that deploys 32/64-bit ServHelper binaries, modified RDPWrap, and uacme-based UAC bypass DLLs to escalate privileges, change RDP configuration, and establish persistence. The backdoor tunnels RDP over an OpenSSH reverse tunnel to attacker-controlled servers, implements anti-sandbox checks, supports browser credential theft and keylogging, communicates with C2 over (base64+XOR)-encoded HTTP(S) using Let’s Encrypt certs, and includes numerous commands and IoCs for detection and response.