ServHelper is a new backdoor with a downloader variant first appearing in November of 2018. Named by the prolific creators “Ta505”, ServHelper Spreads through email campaigns using a quantity over quality approach that has proven to work, albeit, less effective than the Emotet strategies discussed here. ServHelper seems to be largely targeted toward businesses but could change to focus on individual’ s in future campaigns.
How does ServHelper works
ServHelper is downloaded through Microsoft word documents with hidden macros. The documents often pretend to be invoices though they may take other forms such as, but not limited to, greeting cards, complaints, or details from your bank. These documents attempt to convince the user to enable them saying that they cannot be viewed until they are enabled. If the enable Content button is pressed, it runs code that downloads ServHelper to the computer. You can learn more about how to protect yourself here. An example is shown below:
Another method employed by ServHelper is to
give PDF files that claim you must follow the link provided to update your pdf
viewer. These links instead reach out to a download server that infects anyone
who visits. The end result is the same regardless of which infection vector is
Once installed ServHelper does 1 of 2 things.
- ServHelper establishes a remote-control session that allows the malicious actor to control the infected computer from anywhere. From here the malware talks to a Command and control server (C&C) where it takes it commands from. Some of the notable commands include the ability to kill itself and remove traces of itself from the computer, the ability to copy user’s browser profiles, and execute a command shell.
- ServHelper more recently removed some of its capabilities (in this version only) to instead focusing on dropping another piece of malware now known as FlawedGrace. FlawedGrace acts as a remote access Trojan providing similar functions to ServHelper, however there is ample evidence that FlawedGrace is operated by a different threat actor than ServHelper.
Who is affected?
ServHelper largely targets businesses and as such most of the emails are designed to take advantage of emails you would see in your day to day business such as invoices. Despite this active focus its entirely possible for computers outside of a business to be infected and extorted so protection is paramount.
Indicators of infection
ServHelper makes several changes that can help identify if you have been infected or not. In addition it reaches out to several known addresses.
- The most noticeable one is the C:\Windows\ServHelper.dll that is dropped in the windows folder.
- Unusual scheduled startup tasks are always noteworthy and ServHelper uses them to start itself every time a victim’s computer is ran.
- C:\PROGRAM FILES\COMMON FILES\SYSTEM\WINRESET.EXE
- IP: 184.108.40.206
- IP: 220.127.116.11
- IP: 18.104.22.168
What you can do
If you or someone you know is infected with the ServHelper malware download SUPERAntiSpyware Professional right now and get a 14 day free trial, no credit card required. SUPERAntiSpyware is easy to install and will detect and remove Emotet from any Windows computer. If you are a Computer Technician, you may like to try our SUPERAntiSpyware Tech Edition solution, now free for the next 30 days. Use Tech02 as the Tech ID. Click here: https://www.superantispyware.com/technician-download.html
HOW TO REMOVE ServHelper
- Restart the infected computer in safe mode without networking
- Search through the Indicators of infection and investigate any files/folders you do not recognize. You can run the file through SUPERAntiSpyware or online through VirusTotal.com to confirm that it is malware.
- Delete files and folders that have been confirmed as malware.
- Repeat steps 1-3 on all other machines in the network.
- Restore all infected computers to normal mode only after confirming the infection is removed.