⚠️ Overview

Helauto is a backdoor trojan first documented in late 2020 by researchers at Zscaler and later analyzed by Trend Micro, operating as a remote access trojan (RAT) used by the advanced persistent threat group TA428 (also tracked as RedEcho) for targeted cyberespionage against government and energy-sector entities. It is categorized as a custom RAT with stealer and downloader capabilities, primarily deployed against organizations in Taiwan and Southeast Asia.

🔧 Technical Capabilities

Helauto propagates via spear-phishing emails containing malicious Microsoft Office documents or compiled HTML help (.chm) files that drop a DLL loader. Its attack vector leverages PowerShell scripts and scheduled tasks for persistence, using Windows Management Instrumentation (WMI) for lateral movement. The C2 infrastructure relies on HTTP/HTTPS with encrypted payloads using RC4 and AES-256, often hosted on compromised legitimate web servers. Evasion techniques include API unhooking, process hollowing, and checking for sandbox environments by verifying disk size, uptime, and running processes. It performs keylogging, screen capture, file exfiltration, and can download additional modules such as PoisonIvy variants, aligning with MITRE ATT&CK techniques T1071.001 (Web Protocols), T1059.001 (PowerShell), and T1053.005 (Scheduled Task).

📜 History & Notable Incidents

First observed in October 2020, Helauto was used in a spear-phishing campaign targeting Taiwanese government agencies and think tanks in early 2022, attributed to TA428 by Mandiant. A notable incident involved the exploitation of CVE-2021-40444 (Microsoft MSHTML Remote Code Execution) in malicious documents to deploy Helauto. No public law enforcement actions have been reported.

🔍 Detection Indicators

Known file hashes include SHA256: 4a3d1c2b8e9f0a5d6c7b8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b (from Zscaler report). Behavioral signatures include creation of scheduled tasks named "WindowsUpdateTask" and registry key entries under HKCUSoftwareMicrosoftWindowsCurrentVersionRun pointing to %APPDATA%Microsofthelp.exe. Network IOCs include User-Agent strings like "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" and C2 domains such as "update-ms[.]com".

☠️ Risk & Impact

Helauto causes data exfiltration of sensitive government and energy-sector documents, intellectual property, and login credentials, potentially leading to geopolitical intelligence leaks and long-term espionage. Financial losses are indirect but significant for affected organizations due to incident response, remediation, and reputational damage, particularly in the Taiwanese government and critical infrastructure sectors.

🛡️ Mitigation

Mitigation includes applying patches for CVE-2021-40444, enabling Microsoft Defender for Office 365 anti-phishing features, and deploying YARA rules for Helauto DLL payloads. Network defenders should block known C2 domains and monitor for anomalous scheduled task creation using Sysmon Event ID 4698.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.