ServHelper

ServHelper is a new backdoor with a downloader variant first appearing in November of 2018. Named by the prolific creators “Ta505”, ServHelper Spreads through email campaigns using a quantity over quality approach that has proven to work, albeit, less effective than the Emotet strategies discussed here. ServHelper seems to be largely targeted toward businesses but could change to focus on individual’ s in future campaigns.

How does ServHelper works

ServHelper is downloaded through Microsoft word documents with hidden macros. The documents often pretend to be invoices though they may take other forms such as, but not limited to, greeting cards, complaints, or details from your bank.  These documents attempt to convince the user to enable them saying that they cannot be viewed until they are enabled. If the enable Content button is pressed, it runs code that downloads ServHelper to the computer. You can learn more about how to protect yourself here. An example is shown below:

 Infected enable Content doc

Another method employed by ServHelper is to give PDF files that claim you must follow the link provided to update your pdf viewer. These links instead reach out to a download server that infects anyone who visits. The end result is the same regardless of which infection vector is used.

Once installed ServHelper does 1 of 2 things.

  1. ServHelper establishes a remote-control session that allows the malicious actor to control the infected computer from anywhere. From here the malware talks to a Command and control server (C&C) where it takes it commands from. Some of the notable commands include the ability to kill itself and remove traces of itself from the computer, the ability to copy user’s browser profiles, and execute a command shell.
  2. ServHelper more recently removed some of its capabilities (in this version only) to instead focusing on dropping another piece of malware now known as FlawedGrace. FlawedGrace acts as a remote access Trojan providing similar functions to ServHelper, however there is ample evidence that FlawedGrace is operated by a different threat actor than ServHelper.

Who is affected?

ServHelper largely targets businesses and as such most of the emails are designed to take advantage of emails you would see in your day to day business such as invoices. Despite this active focus its entirely possible for computers outside of a business to be infected and extorted so protection is paramount.

Indicators of infection

ServHelper makes several changes that can help identify if you have been infected or not. In addition it reaches out to several known addresses.

  1. The most noticeable one is the C:\Windows\ServHelper.dll that is dropped in the windows folder.
  2. Unusual scheduled startup tasks are always noteworthy and ServHelper uses them to start itself every time a victim’s computer is ran.
  3. C:\PROGRAM FILES\COMMON FILES\SYSTEM\WINRESET.EXE
  4. crl.verisign.com/pca3.crl
  5. http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ%2FxkCfyHfJr7GQ6M658NRZ4SHo%2FAQUCPVR6Pv%2BPT1kNnxoz1t4qN%2B5xTcCECcNdVyfWsO322H1CZgocHg%3D
  6. http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
  7. IP: 104.81.60.211
  8. IP: 104.81.60.51
  9. IP: 2.17.157.9

What you can do


If you or someone you know is infected with the ServHelper malware download SUPERAntiSpyware Professional right now and get a 14 day free trial, no credit card required.  SUPERAntiSpyware is easy to install and will detect and remove Emotet from any Windows computer. If you are a Computer Technician, you may like to try our SUPERAntiSpyware Tech Edition solution, now free for the next 30 days. Use Tech02 as the Tech ID.  Click here: https://www.superantispyware.com/technician-download.html

HOW TO REMOVE ServHelper

  1. Restart the infected computer in safe mode without networking
  2. Search through the Indicators of infection and investigate any files/folders you do not recognize. You can run the file through SUPERAntiSpyware or online through VirusTotal.com to confirm that it is malware.
  3. Delete files and folders that have been confirmed as malware.
  4. Repeat steps 1-3 on all other machines in the network.
  5. Restore all infected computers to normal mode only after confirming the infection is removed.

Emotet

You may have heard of the Trojan Emotet before, first appearing back in 2014 stealing banking information, it has since evolved into a multi-faceted threat that targets everyone. It uses social engineering through emails to attempt to convince the user to open a Microsoft Word document and run its malicious macros. Even more worrisome is that once they have infected a target, they attempt to take over the victims Microsoft outlook desktop application. If successful Emotet will go through all sent emails and contacts, before sending out a new wave of spam emails. Only this time it will be from a trusted email. A campaign from Emotet over the Christmas season reads like a friend sending a friendly season greeting.

Dear <name>,

You make the stars shine brighter and the winter days warmer just by being in my life. Merry Christmas to my favorite person in the world.

Merry Christmas and a wonderful New Year!

Greeting Card is attached

A lovely thing about Christmas is that it’s compulsory, like a thunderstorm, and we all go through it together. Garrison Keillor

While not limited to invoices or Christmas cards, these emails attempt to get the user to click the download link and then to open the document. In the email mentioned above the target may be fooled into thinking that the attached greeting card is legitimate.  The document actually contains a malicious macro, an embedded script. While macros were initially designed to help automate keystrokes and mouse movements, they were quickly abused by nefarious virus creators. The infection cannot run on its own as Microsoft has automatically disabled macros more than a decade ago to help stop these malicious scripts. Instead, Emotet uses a few techniques to get the user to re-enable macros. Examples can be seen below.



The picture urges the user to click the Enable Content button, implying that they cannot view the Word document until they do so. You may have already noticed that the bar itself says that Macros have been disabled and the enable content button will in fact allow them. The moment that Enable content is click the macros will start and in seconds you will be infected, even worse in most cases you will have no indication from this point forward that anything is wrong. In one test case we briefly had a command window appear:



This window lasted less than two seconds before disappearing. This attack vector is not unique to Emotet though. In fact, it has been used by a number of ransomware attacks in the past. If you ever see a document you didn’t expect to receive, you should always be extremely cautious with it and you should never enable macros without a very good reason.

How it works

Emotet is an evolving malware that has been known to primary spread itself through the use of email spam campaigns.  Emotet itself does not attempt to do much harm, instead it opens the door for other malware who pay the doorman on the way in. It achieves this by using what is known as a Command and control server (C&C), Emotet will request instructions from its control server who will issue a new command. This command could be anything from grab this malware sample and run it to tell me what passwords are stored in the user’s browser. Emotet can also receive updates and new capabilities in this way as well, showing that if Emotet has infected your computer or network it should be removed as quickly as possible.

Emotet doesn’t stop at the first computer infected though, once it’s on a network it will attempt to get to all computers it’s connected to through a brute-force attack. Unless strong passwords are enforced on machines and all known vulnerabilities are patched, a single installation of Emotet can cause every computer in the network to become infected. Emotet is often updated with new exploits as they are found, meaning that while it may not be successful at first it will keep trying until it finds something that does work.

Code

We won’t go into too much depth on the actual code itself, but a brief step-by-step walkthrough can be useful to get a better understanding on how this malware works.

1. In the Word document there is a VBA script that is obfuscated so that you cannot read it at a glance, all this code does is launch a command shell which then launches PowerShell, a more powerful version of the Windows command shell.

2. Using PowerShell, the script attempts to download the core Emotet payload from a large variety of distribution websites.

3. The randomly named payload will then reach out to the main server and request a command. The command will change based on the campaign that is running, it could go grab new malware or it could attempt to use your own email address as a way to spread itself.

Who is affected

Many people assume that they will not be targets of malware campaigns, Emotet though targets everyone equally, it has the simple goal of getting on every machine it can and then getting paid to let other, more targeted malware come in behind it. If your email address has ever been sold, disclosed in a breach, or was on a friend’s email list when they got infected it’s possible you will receive a malicious email from them.

Indicators of infection

The main location for the executable is in C:\Users\<name>\AppData\Local\ and then whatever new name Emotet decides to use. One we have seen often is archivessymbol but this will change. If you see something in this folder you don’t know about, its important to run a scan.

Versions of Emotet can also drop files onto your computer in C:\Users\Public or C:\Users\<username>:

These files generally have 5-6 randomly generated numbers in the file name, followed by .exe. These are not actually executable files, but HTML documents that are used to generate revenue for the Blackhat’s by simulating clicks on web advertisements.

What you can do


If you or someone you know is infected with the Emotet malware download SUPERAntiSpyware Professional right now and get a 14 day free trial, no credit card required.  SUPERAntiSpyware is easy to install and will detect and remove Emotet from any Windows computer. If you are a Computer Technician, you may like to try our SUPERAntiSpyware Tech Edition solution, now free for the next 30 days. Use Tech01 as the Tech ID.  Click here: https://www.superantispyware.com/technician-download.html

Emotet has also been known to exploit a vulnerability in Windows called EternalBlue. Microsoft has issued a patch for this, and applying this patch can help protect you from Emotet as well as other malware who utilize this exploit.

HOW TO REMOVE EMOTET

  1. Restart the infected computer in safe mode without networking
  2. Search through the Indicators of infection and investigate any files/folders you do not recognize. You can run the file through SUPERAntiSpyware or online through VirusTotal.com to confirm that it is malware.
  3. Delete files and folders that have been confirmed as malware.
  4. Repeat steps 1-3 on all other machines in the network.
  5. Restore all infected computers to normal mode only after confirming the infection is removed.

Worried about WannaCrypt Ransomware? Update your Windows OS!

Worried about WannaCrypt Ransomware?

Home users and businesses should make sure their Windows Operating Systems and security software are updated in order to stop the spread of WannaCrypt. Make sure your copy of Windows is updated, click HERE to read Microsoft’s Customer Guidance post about this ransomware. Microsoft even took usual steps and released updates to unsupported Operating systems such as XP. From the article linked above:

Additionally, we are taking the highly unusual step of providing a security update for all customers to protect Windows platforms that are in custom support only, including Windows XP, Windows 8, and Windows Server 2003. Customers running Windows 10 were not targeted by the attack today.”

WannaCrypts ransom message

We at SUPERAntiSpyware stress that you also make sure you are using the latest edition of SUPERAntiSpyware, version 6.0.1240 as of this blog post with the most recent definitions AND make sure you have Real-Time Protection set to enabled.

If you have your Windows Firewall disabled, immediately enable it. If you have a third-party Firewall, make sure it is enabled and the software is current.