ServHelper

ServHelper is a new backdoor with a downloader variant first appearing in November of 2018. Named by the prolific creators “Ta505”, ServHelper Spreads through email campaigns using a quantity over quality approach that has proven to work, albeit, less effective than the Emotet strategies discussed here. ServHelper seems to be largely targeted toward businesses but could change to focus on individual’ s in future campaigns.

How does ServHelper works

ServHelper is downloaded through Microsoft word documents with hidden macros. The documents often pretend to be invoices though they may take other forms such as, but not limited to, greeting cards, complaints, or details from your bank.  These documents attempt to convince the user to enable them saying that they cannot be viewed until they are enabled. If the enable Content button is pressed, it runs code that downloads ServHelper to the computer. You can learn more about how to protect yourself here. An example is shown below:

 Infected enable Content doc

Another method employed by ServHelper is to give PDF files that claim you must follow the link provided to update your pdf viewer. These links instead reach out to a download server that infects anyone who visits. The end result is the same regardless of which infection vector is used.

Once installed ServHelper does 1 of 2 things.

  1. ServHelper establishes a remote-control session that allows the malicious actor to control the infected computer from anywhere. From here the malware talks to a Command and control server (C&C) where it takes it commands from. Some of the notable commands include the ability to kill itself and remove traces of itself from the computer, the ability to copy user’s browser profiles, and execute a command shell.
  2. ServHelper more recently removed some of its capabilities (in this version only) to instead focusing on dropping another piece of malware now known as FlawedGrace. FlawedGrace acts as a remote access Trojan providing similar functions to ServHelper, however there is ample evidence that FlawedGrace is operated by a different threat actor than ServHelper.

Who is affected?

ServHelper largely targets businesses and as such most of the emails are designed to take advantage of emails you would see in your day to day business such as invoices. Despite this active focus its entirely possible for computers outside of a business to be infected and extorted so protection is paramount.

Indicators of infection

ServHelper makes several changes that can help identify if you have been infected or not. In addition it reaches out to several known addresses.

  1. The most noticeable one is the C:\Windows\ServHelper.dll that is dropped in the windows folder.
  2. Unusual scheduled startup tasks are always noteworthy and ServHelper uses them to start itself every time a victim’s computer is ran.
  3. C:\PROGRAM FILES\COMMON FILES\SYSTEM\WINRESET.EXE
  4. crl.verisign.com/pca3.crl
  5. http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ%2FxkCfyHfJr7GQ6M658NRZ4SHo%2FAQUCPVR6Pv%2BPT1kNnxoz1t4qN%2B5xTcCECcNdVyfWsO322H1CZgocHg%3D
  6. http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
  7. IP: 104.81.60.211
  8. IP: 104.81.60.51
  9. IP: 2.17.157.9

What you can do


If you or someone you know is infected with the ServHelper malware download SUPERAntiSpyware Professional right now and get a 14 day free trial, no credit card required.  SUPERAntiSpyware is easy to install and will detect and remove Emotet from any Windows computer. If you are a Computer Technician, you may like to try our SUPERAntiSpyware Tech Edition solution, now free for the next 30 days. Use Tech02 as the Tech ID.  Click here: https://www.superantispyware.com/technician-download.html

HOW TO REMOVE ServHelper

  1. Restart the infected computer in safe mode without networking
  2. Search through the Indicators of infection and investigate any files/folders you do not recognize. You can run the file through SUPERAntiSpyware or online through VirusTotal.com to confirm that it is malware.
  3. Delete files and folders that have been confirmed as malware.
  4. Repeat steps 1-3 on all other machines in the network.
  5. Restore all infected computers to normal mode only after confirming the infection is removed.

Emotet

You may have heard of the Trojan Emotet before, first appearing back in 2014 stealing banking information, it has since evolved into a multi-faceted threat that targets everyone. It uses social engineering through emails to attempt to convince the user to open a Microsoft Word document and run its malicious macros. Even more worrisome is that once they have infected a target, they attempt to take over the victims Microsoft outlook desktop application. If successful Emotet will go through all sent emails and contacts, before sending out a new wave of spam emails. Only this time it will be from a trusted email. A campaign from Emotet over the Christmas season reads like a friend sending a friendly season greeting.

Dear <name>,

You make the stars shine brighter and the winter days warmer just by being in my life. Merry Christmas to my favorite person in the world.

Merry Christmas and a wonderful New Year!

Greeting Card is attached

A lovely thing about Christmas is that it’s compulsory, like a thunderstorm, and we all go through it together. Garrison Keillor

While not limited to invoices or Christmas cards, these emails attempt to get the user to click the download link and then to open the document. In the email mentioned above the target may be fooled into thinking that the attached greeting card is legitimate.  The document actually contains a malicious macro, an embedded script. While macros were initially designed to help automate keystrokes and mouse movements, they were quickly abused by nefarious virus creators. The infection cannot run on its own as Microsoft has automatically disabled macros more than a decade ago to help stop these malicious scripts. Instead, Emotet uses a few techniques to get the user to re-enable macros. Examples can be seen below.



The picture urges the user to click the Enable Content button, implying that they cannot view the Word document until they do so. You may have already noticed that the bar itself says that Macros have been disabled and the enable content button will in fact allow them. The moment that Enable content is click the macros will start and in seconds you will be infected, even worse in most cases you will have no indication from this point forward that anything is wrong. In one test case we briefly had a command window appear:



This window lasted less than two seconds before disappearing. This attack vector is not unique to Emotet though. In fact, it has been used by a number of ransomware attacks in the past. If you ever see a document you didn’t expect to receive, you should always be extremely cautious with it and you should never enable macros without a very good reason.

How it works

Emotet is an evolving malware that has been known to primary spread itself through the use of email spam campaigns.  Emotet itself does not attempt to do much harm, instead it opens the door for other malware who pay the doorman on the way in. It achieves this by using what is known as a Command and control server (C&C), Emotet will request instructions from its control server who will issue a new command. This command could be anything from grab this malware sample and run it to tell me what passwords are stored in the user’s browser. Emotet can also receive updates and new capabilities in this way as well, showing that if Emotet has infected your computer or network it should be removed as quickly as possible.

Emotet doesn’t stop at the first computer infected though, once it’s on a network it will attempt to get to all computers it’s connected to through a brute-force attack. Unless strong passwords are enforced on machines and all known vulnerabilities are patched, a single installation of Emotet can cause every computer in the network to become infected. Emotet is often updated with new exploits as they are found, meaning that while it may not be successful at first it will keep trying until it finds something that does work.

Code

We won’t go into too much depth on the actual code itself, but a brief step-by-step walkthrough can be useful to get a better understanding on how this malware works.

1. In the Word document there is a VBA script that is obfuscated so that you cannot read it at a glance, all this code does is launch a command shell which then launches PowerShell, a more powerful version of the Windows command shell.

2. Using PowerShell, the script attempts to download the core Emotet payload from a large variety of distribution websites.

3. The randomly named payload will then reach out to the main server and request a command. The command will change based on the campaign that is running, it could go grab new malware or it could attempt to use your own email address as a way to spread itself.

Who is affected

Many people assume that they will not be targets of malware campaigns, Emotet though targets everyone equally, it has the simple goal of getting on every machine it can and then getting paid to let other, more targeted malware come in behind it. If your email address has ever been sold, disclosed in a breach, or was on a friend’s email list when they got infected it’s possible you will receive a malicious email from them.

Indicators of infection

The main location for the executable is in C:\Users\<name>\AppData\Local\ and then whatever new name Emotet decides to use. One we have seen often is archivessymbol but this will change. If you see something in this folder you don’t know about, its important to run a scan.

Versions of Emotet can also drop files onto your computer in C:\Users\Public or C:\Users\<username>:

These files generally have 5-6 randomly generated numbers in the file name, followed by .exe. These are not actually executable files, but HTML documents that are used to generate revenue for the Blackhat’s by simulating clicks on web advertisements.

What you can do


If you or someone you know is infected with the Emotet malware download SUPERAntiSpyware Professional right now and get a 14 day free trial, no credit card required.  SUPERAntiSpyware is easy to install and will detect and remove Emotet from any Windows computer. If you are a Computer Technician, you may like to try our SUPERAntiSpyware Tech Edition solution, now free for the next 30 days. Use Tech01 as the Tech ID.  Click here: https://www.superantispyware.com/technician-download.html

Emotet has also been known to exploit a vulnerability in Windows called EternalBlue. Microsoft has issued a patch for this, and applying this patch can help protect you from Emotet as well as other malware who utilize this exploit.

HOW TO REMOVE EMOTET

  1. Restart the infected computer in safe mode without networking
  2. Search through the Indicators of infection and investigate any files/folders you do not recognize. You can run the file through SUPERAntiSpyware or online through VirusTotal.com to confirm that it is malware.
  3. Delete files and folders that have been confirmed as malware.
  4. Repeat steps 1-3 on all other machines in the network.
  5. Restore all infected computers to normal mode only after confirming the infection is removed.

Watch out for fake USPS delivery emails!

usps

Fake USPS Delivery Emails?

We at SUPERAntiSpyware have been alerted to scam emails hitting users claiming to be from the US Postal Service (USPS) that contains a link that will infect them with malware. One of the emails being used by this scam is notice@ussp(DOT)com

The subject line of the email will typically be titled “Delivery notification – Parcel delivery *NUMBER* failed” containing a message that the user please call the number on the shipping notice we left at your doorstep (which there will be none!) to arrange a new delivery, and a link which you can view the delivery notice online, on the USPS website.

This is a fake link to a malware infested website.

If you see a link in a suspicious email such as this do not click the links or open the attachments no matter how innocent they sound. If it claims to be from an official organization, call them and ask if the email is legit. Better safe than sorry!

Tax Season is here – Watch out for Identity Stealing Spyware!

Taxes The Season is Here !

Keep your personal information safe this tax season by doing a Free scan with SUPERAntiSpyware Free Edition

We want to remind everyone that tax season is the time of increased attacks in the forms of spyware, various methods of phishing , and scams. Spyware and Malware authors significantly increase their activity during the tax season in order to try to steal data and withdraw money from bank accounts, steal credit cards, passwords, and other malicious acts.

Watch out for Identity Stealing Spyware!

During this tax season its important to do a few things to help protect yourself online:

1) Make sure your Operating System and software applications such as web browsers and email clients are up to date.

2) Run a Complete Scan with SUPERAntiSpyware regularly with the latest updates, at least twice a week during this period of increased activity.

3) Be cautious before visiting strange websites, or opening strange email attachments. Think before you click!

4) Manually erase, or use privacy software, to delete sensitive data from you PC. Spyware cannot steal what isn’t there!

5) Lookout for spam phishing email impersonating government, bank, or tax company officials asking for sensitive information.

Do you have any security recommendations that help you stay safe during the tax season? Feel free to leave a comment below!

SUPERAntiSpyware Team

Facebook Malware Attack

Facebook Malware Attack Warning

We’re receiving reports that Facebook is being used as a new vector for executing malware attacks, specifically as a means to distribute the Locky ransomware. While the ransomware variant is not being hosted directly on Facebook, this new version is being hosted in a peculiar way.

The attack starts by a presumably infected machine sending out a message to people in your friends list. This message is actually a SVG (Scalable Vector Graphics) file that is being masqueraded as an image for you to download to view. Once the file has been downloaded and opened, the payload is delivered. Because of the way SVG files work, JavaScript can be embedded into those files and opened with a modern web browser. That JavaScript will then execute and direct the user to a website that mimics YouTube, but with a completely different URL.

Once on that site, a popup is pushed to the user asking them to download a certain extension on your machine in order to view the video. After the extension has been installed, the attackers have the ability to view and alter data regarding the websites you visit, as well as access your Facebook account in order to message all of your friends with the same SVG file.

The payload is delivered through the Nemucod downloader Trojan, which has been known to download copies of Locky on victim’s PCs.

While Google and Facebook have been made aware of this attack, it is possible that proper remediation could take time. The best course of action if you receive such a message is to ignore it, clear your conversation history with that person, and report them to Facebook as having a compromised account.

If you have already been infected by this attack, there’s not much you can do outside of removing the offending extension in Chrome by going to Menu > More Tools > Extensions and check to see if either Ubo or One extensions are listed. This is also a good time to remove any unknown extensions that are installed as well.

Remember, once you have been locked out of your system by a piece of ransomware, your options for recovery are only as good as the backups you have made. Keep your backups up-to-date, and save your data on an outside drive as frequently as possible. Once a ransomware infection has taken place, any attached drives to your network are at risk. Never keep your backup drives attached to your machine when they are not in use.

Typosquatting: Another front of malware attacks

Typosquatting is a type of internet scam that relies on end users making mistakes, such as spelling errors or entering the wrong domain name when entering a websites URL. It is also commonly known as URL Hijacking. There are many motivations for a hijacker to take the Typosquatting approach to deceiving unsuspecting victims:

1) To redirect web traffic to their own or a competitor’s product.

2) Installing malware to infect the user’s machine, typically with ad-hosting pieces of malware.

3) Freeze the web browser for a fake Tech Support scam, scaring the user into calling a fake tech support number claiming the user has a virus infection. These scams potentially cost the users hundreds of dollars.

4) To steal user information by running a phishing scheme to mimic legitimate website.

5) Making revenue from the user clicking on advertisements (either in plain site or disguised as legitimate search links) on the Typosquat website.

6) To blackmail or strong-arm payment from the company they’re Typosquatting in order to force a purchase of the website from the Typosquatter.

A scammer who runs a Typosquat scam typically registers a website address with spelling close to the legitimate websites address. This is typically something simple like omitting a letter, adding a letter, or using a different Top Level Domain. For example if a user wants to go to our website, they may end up typing superaantispyware[dot]com with double a’s. This will end up showing a user a Typosquatting website such as this:

Another type of Typosquat scam would be due to the person improperly typing out the full URL, typing something like google [dot] om , rather than typing google [dot] com. In this instance, the person typing the .om domain would actually be viewing a page hosted on Oman’s Top Level Domain, rather than the basic .com domain. In some instances, large corporations will buy up as many associated domains as they can in order to prevent this type of mistake (Google, for example, has variants of their site containing multiple o’s and different Top Level Domains); however, not all companies have the foresight and/or money to do this.

It is easy to avoid falling prey to a Typosquatting scam. Here are a few easy things you can do to prevent this.

1) Never open links in emails from unexpected senders, and exercise caution when visiting sites you’re not familiar with.

2) Bookmark your favorite websites so you can easily access them.

3) Use a search engine like Google, Bing, or Yahoo when looking for a specific website if you are unsure about the spelling or if the business’ website is the same as their name. Some car dealerships, for example, use dealer names or slogans as their website.

4) Double check the URL you are typing before loading the page

5) Make sure Real-Time Protection is turned on in SUPERAntiSpyware Professional

6) If you are starting a web-based business, consider buying multiple domains that are similar to your primary site to preemptively stop Typosquatters. Most domain registrars will offer bulk rates when you purchase more than one domain at a time.

While this type of attack is somewhat uncommon by today’s standards, it still happens every once in a while. By practicing safe browsing habits, keeping your web browsers up-to-date, and running regular scans of your machine, you should not be impacted by most of these types of attacks.

Macros and You: An old attack becomes chic again

Macros and You ?

Some of the earliest computer viruses and malware were created using macros in Microsoft Office documents. These pieces of malicious code would run once the document was opened, and the infection would happen without the user even being aware that their machine had been compromised. While these types of attacks had fallen out of favor over the years, they’ve come back in style and are more popular than ever before.

What exactly is a macro?

While you’ve probably heard the term thrown around before, most people don’t actually know what they are, or what they’re capable of. In short, macros are little snippets of code that run through your office software. Many people use macros to speed up a repetitive processes, like formatting items. Unfortunately, the same type of code that is used to perform the mundane can also be used to perform the malicious.

Due to the ease of abuse, Microsoft removed the automatic enabling of macros many years ago. This is ultimately what lead to the majority of these types of attacks going by the wayside. Because there was no longer a way to abuse this on most machines, would-be attackers changed their methods to more traditional programs, which are far easier to detect with a normal malware scanner.

With the recent surge in ransomware, new methods of delivery were needed by would-be attackers. The anti-malware engines had been able to detect many variants, and it was only getting easier. This meant that stealth was needed. What better way to do that than to bring back a tried-and-true method in Office Macros. Few people expected it due to the fact that these infection types hadn’t really been seen in years.

The basic attack is carried out like this:

1) An infected person sends you an email with the subject similar to “ATTN: Invoice Attached” that has a Word document attached.

2) The person downloads and opens the file, only to see a garbled mess of characters with a notice that says “Enable macro if the data encoding is incorrect” in big bold red letters at the top of the window

3) The unknowing victim enables macros, thereby initiating the malicious code

4) The code runs, sending out an email to your Outlook contacts (attempting to infect them), downloads whatever payload(s) it wants, then runs the ransomware (locking your files)

Because of the sharp increase in these types of attacks, Microsoft, SUPERAntiSpyware, and many other security vendors recommend that all users disable macros if they do not need to use them. While Macros should be disabled by default, it is worth double-checking your preferences in order to ensure that you are protected as best as possible.

For more information on how to disable macros in Office files, please visit this Microsoft Support article.

NOTE: This is a recommendation specifically for home users, if you are in a work environment please contact your IT department first before making any changes!

PUPs and You: How to Identify and Remove Potentially Unwanted Programs

The internet today is just as dangerous of a place as it ever was. Sure, there are plenty of trusted websites you visit on a daily basis that pose little to no risk to your computer. The worst that happens to most people are unwanted tracking cookies from ad servers being placed on their machine, which is a small price to pay for free access to these sites, especially since they are so easy to remove with programs such as SUPERAntiSpyware®.

Today we’re going to talk about Potentially Unwanted Programs or PUPs for short.

What are PUPs?

PUPs live in the grey area of the software spectrum. Sometimes, they can provide a service that you want, such as coupons or the ability to download videos from popular sites like YouTube; however, sometimes the programs that we classify as PUPs can be the underlying cause of unwanted behavior, such as displaying ads, installing other pieces of software, or modifying your web browser’s homepage.

The most common sources of PUP “infections” are download websites that bundle other pieces of software in with the software that you are really trying to get. Unfortunately, many of the companies that make legitimate software don’t have a say in this bundling of software, as the download host is the one that is making a special installer that will offer up these other pieces of software before you can, or in order to, download and install the piece of software you want.

Many people just click the next button over and over again until they get the software they want installed. The downside to this method of installing software is that you leave yourself susceptible to PUPs on your machine, oftentimes not realizing what has been installed until it is too late. This is what many of these bundled installers are hoping for. They want you to blindly click through so they can get paid for the install of software, as these sites get paid for each piece of software they are able to distribute to end-users, even if they don’t necessarily want what they’re getting.

Once a computer has been “infected” by a PUP, the user may notice some major performance slowdowns or other erratic behaviors. The most common side-effects of PUPs include unwanted or unknown software popping up on your screen telling you there’s a problem, advertisements taking over your screen (either through the web browser directly, or through pop-ups outside the main browser window, system resources being hogged (slowing down the computer), toolbars being installed without your knowledge, and your browser’s homepage being redirected to an unknown/unwanted website.

How can I protect myself from PUPs?

The easiest way to avoid installing PUPs is to make sure that you’re downloading programs from trusted sources (always from the software publisher, if possible), you’re reading each of the screens on install wizards (removing any unwanted options from the installation), and do your research on whether or not the software that you’re looking for is safe and held in high regard by members of the community.

One of the biggest traps that are out there in the wild is the ubiquitous “Big Button”. You have probably seen these before. Say, for example, you’re looking for new media player software to play movies and music. In order to get that software, you go to a file hosting website, and you’re immediately greeted with three green buttons, a red button, and a yellow button, all with the word “DOWNLOAD” in bold capital letters across the center of it. Which one is the correct button to press?

Sometimes reading through the website isn’t enough to show you exactly which button is the real button, and which is an advertisement for another piece of software that’s been embedded near the correct button. Some websites even offer two different versions of the software: one that’s a clean installer, the other is an ad-supported/bundled installer.

This is why we recommend trying to download the software you want directly from the company who makes it. They want you to use their software, so they’re going to make it as easy for you as possible to get what you want. That means no bundled software and no ads that are disguised as download links.

Keep in mind that not all bundled software is bad. Many programs will offer downloads of legitimate products, such as Google Chrome or Dropbox. It’s a common occurrence in the software industry; however, if you’re not familiar with the name of the product a company wants you to install, you should always err on the side of caution and opt out of having that software installed.

How do I get rid of PUPs?

Most PUPs can be removed by going into your control panel and uninstalling them just as you would any other piece of software. In some cases, this unfortunately doesn’t always work. Programs such as SUPERAntiSpyware® try to remove these PUPs before scans, and most of the time we’re successful; however, new PUPs, new malware/spyware threats, and variants of existing threats, are created daily.

A couple easy ways to try to get rid of these PUPs before running more in-depth cleaning are to make sure you remove any unknown browser extensions in your web browser, and using the add/remove programs feature within Windows.  Typically these PUPs will have their own uninstall files that can easily remove the threat once it is known. As always, make sure you exercise caution when removing programs, as not all “unknown” programs are malicious.

If you think that your machine might have PUPs that you can’t seem to get rid of, or any other malware infection for that matter, the best course of action is to first figure out exactly what you’re dealing with. If there is any distinguishing information you can see (like the program name), do a quick search to see how to remove the program. Most of the time, there will already be a removal guide available for the specific PUP or threat you’re dealing with.

Dealing with pesky PUPs can be time consuming, but remember, the time you take to fix the issue when you first notice it is time you save dealing with a computer that’s been slowed down by these unnecessary and unwanted programs.

Why are you calling <Software Name> a PUP? There’s nothing wrong with it!

There are many different criteria that go into classifying a piece of software a PUP. Keep in mind that the first letter of the acronym stands for POTENTIALLY. If a piece of software you want or use on a regular basis is being detected as a PUP, you’re more than welcome to keep using it or ignore the detection within SUPERAntiSpyware®.

We try to not remove anything from your machine unless we know that it has un-welcomed side effects. Some of the criteria we use for determining if a piece of software is a PUP is outlined below:

–          The software is known to display advertisements. This covers everything from pop-ups, pup-unders, ad overlays, inserting in-text ads, and replacing existing advertising streams.

–          Hijacking one or more installed web browser. This covers everything from redirecting the homepage (with or without permission), altering search results, inserting bookmarks, installing unwanted add-ons/extensions, and installing toolbars that bring value to the maker rather than the user.

–          Bundling other software. This covers everything from including other software as a bundle (optional or otherwise) with a desired piece of software, being included in a bundle from another software or download site, making it difficult/impossible to opt-out of bundled software.

–          The overall sentiment of the program is bad. This covers install and uninstall trends for particular pieces of software based on reviews and removal guides from trusted sources, using alarmist notifications to trick the user into purchasing, forcing a purchase to clean or fix issues with or without explaining what the issues are, and using misleading uninstallers to either force download more undesirable software or trick users into keeping the software.

While this is by no means a comprehensive list, it is definitely a good starting point as to why we consider a program as being undesirable. There are plenty of other software review websites out there that will probably echo our sentiments; however, as always, if something is working for you, feel free to ignore the detection.