Helminth is a backdoor that can come in the form of a VBScript or PowerShell script delivered via a macro in an Excel spreadsheet, or as a standalone Windows executable. The Helminth backdoor can affect the following operating systems: Windows. Helminth can download additional files, and the executable version of Helminth has a module to log keystrokes. Helminth can establish persistence by creating a shortcut in the Start Menu folder. One version of Helminth consists of VBScript scripts, and another version of Helminth has used a scheduled task for persistence. Helminth creates folders to store output from batch scripts prior to sending the information to its C2 server. Helminth has checked the local administrators group. The executable version of Helminth has a module to log clipboard contents. The Helminth config file is encrypted with RC4. Helminth splits data into chunks up to 23 bytes and sends the data in DNS queries to its C2
Helminth Malware Capabilities
Helminth may use a number of methods to gain persistence on a system, including adding programs to the startup folder or referencing them with a Registry run key. They may also encode data with a standard data encoding system to make it more difficult to detect. Additionally, Helminth may stage collected data in a central location on the system prior to exfiltration.
The Helminth malware may attempt to collect information on local system groups and permission settings, as well as data stored in the clipboard. It may also try to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents. Helminth may also communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Finally, Helminth may create, acquire, or steal code signing materials to sign their malware or tools.
- The Helminth malware may transfer files or tools from an external system into a compromised environment, and may also log user keystrokes in order to intercept credentials. Once established within a system or network, the adversary may use automated techniques to collect internal data.
- Helminth is a malware that can encode data and achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. It may also abuse Visual Basic for execution.
- The Helminth malware may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. Additionally, Helminth may create or edit shortcuts to run a program during system boot or user login. Finally, Helminth may stage collected data in a central location or directory on the local system prior to exfiltration.
- Helminth may collect data stored in the clipboard from users copying information within or between applications. It may also attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.
- The Helminth malware may exfiltrate data in small chunks or limit packet sizes to avoid triggering network alerts. It may also attempt to get information about running processes on a system in order to understand which software is common on systems within the network. Helminth may communicate using application layer protocols associated with web traffic to blend in with existing traffic and avoid detection.
- Helminth is a malware that may use symmetric encryption to conceal command and control traffic, and may also attempt to find domain-level groups and permission settings. The malware may also create, acquire, or steal code signing materials to sign their malware or tools.
- The Helminth malware may abuse the Windows command shell and PowerShell commands for execution, and may use the Domain Name System (DNS) application layer protocol to avoid detection/network filtering.
Ways to Mitigate Helminth Malware Attacks Capabilities
- The article discusses how to mitigate Helminth malware attacks. Methods of attack include keyloggers and automated data collection. To mitigate these attacks, the article recommends monitoring for file creation and unusual processes, as well as changes to the Registry and drivers.
- The article discusses various ways in which helminth malware attacks can be detected and mitigated. These include monitoring network data for unusual activity, monitoring the registry for changes, and monitoring for events associated with the execution of VB scripts.
- Helminth malware attacks can be mitigated by using system and network discovery techniques can help identify potential attacks. Additionally, access to the clipboard and file obfuscation can be monitored for suspicious activity.
- Analysts can detect suspicious activity by looking for unusual network data flows and packet contents. Additionally, analysts should consider events and data in the context of the overall operation to identify potential lateral movement.
- Helminth malware attacks can be mitigated by using symmetric encryption to decode network traffic and detect communications signatures, using system and network discovery techniques to identify unusual activity, and collecting and analyzing signing certificate metadata. By taking these steps, it may be possible to reduce the likelihood of successful attacks.
- The article discusses various ways in which helminth malware attacks can be mitigated by restricting the use of scripts, setting proper execution policy, and analyzing network data for unusual activity.
