ServHelper
ServHelper is a backdoor Trojan that, depending on its version, may give a remote attacker control over your PC or download another threat, FlawedGrace, that performs a similar purpose. Users should monitor their e-mail communications closely for matches with the ServHelper campaign's template, which makes use of threatening documents with embedded macros. Have your anti-malware solution remove ServHelper immediately as they detect it and be prepared to re-secure credentials related to any compromised accounts.
Reading the Trojan that's Between a Document's Lines
TA505, a threat actor whose activities have old associations with the Globe Imposter Ransomware, the Dridex banking Trojan, the AMMYY RAT, the Bart Ransomware, and others, is the unsurprising source of a new Trojan: ServHelper. ServHelper comes in two, notably-different forks, although the regularity of updates between its deployments makes further changes more than slightly possible. In both variants, however, it's a high-level threat that, in one way or another, gives RAT (Remote Access Tool/Trojan) capabilities to its threat actor.
The various surges in the ServHelper campaign use several e-mail exploits and emphasize DOC, PUB, or WIZ files that leverage corrupted macros (once the user enables them). A smaller amount of attacks are using other e-mail tactics, such as fake PDF plugins or Web links. The usual victims are entities in the financial sector, retail businesses, and restaurants. Once the reader triggers the installation, ServHelper launches the attacks that aim at giving the threat actor total control.
Some versions of ServHelper include all of the RAT features innately, and provide Remote Desktop Protocol features for letting the threat actor take over the user interface, such as keyboard input. Malware researchers also confirm ServHelper's in-depth support for account-hijacking attacks, which can alert the criminal to a newly-logged-in account and help with harvesting credentials for taking it over. However, the second, download-oriented version of ServHelper offloads all of the control features to another RAT that it downloads with the name of FlawedGrace.
Helping ServHelper to a Convenient Exit
In either of its two branches, ServHelper is a low-visibility threat. It suppresses any evidence of its existence while the threat actor monitors the situation, issues commands, and downloads and launches other files. Users of compromised systems should prioritize isolating the hardware, particularly, disconnecting from the Internet. The second version of ServHelper, also, is no less harmful than the first, and possibly could be thought of as being worse, since FlawedGrace supports features that range from password theft to destroying the operating system.
Businesses are, as noted, especially at risk from ServHelper attacks, which leverage e-mail vulnerabilities but require some consent from the victim. Workers should stay alert to possibly threatening downloads, such as documents that use macros or outdated versions of PDF content, and avoid clicking on links that aren't safe. Most messages will be custom-crafted for their targets, although the traditional anti-malware services shouldn't find any difficulties with detecting, blocking or removing ServHelper Trojans.
TA505 is a threat actor that's marked by industrious professionalism, and ServHelper is, already, showing itself as part of a higher trend than itself. It also offers a light of hope: all its attacks are stoppable at the entry point, assuming that users aren't asleep at the metaphorical wheel.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.