NetHelp Infostealer
Description
(Recorded Future) The NetHelp payload was only designed to work as a service (a persistence method established by the audio dropper of matching bitness). The payload dynamically links APIs at runtime via GetProcAddress and LoadLibrary.
The implant simultaneously relied on two methods of communication: creating a separate thread with an open socket to the server on port 80, as well as issuing POST requests to the C2 server with the specific User-Agent.
Names
| Name |
|---|
| NetHelp Infostealer |
| NetHelp Striker |
Category
Malware
Type
- Backdoor
- Info stealer
Information
Other Information
Uuid
7db71641-766e-4bfb-90a8-2b7626e526e7
Last Card Change
2020-04-20