ServHelper Malware

There are public reports about spreading of malware named as ServHelper malware. It is a backdoor malware used by the attacker to steal the information from victim machine to use it in a later stage for performing malicious activity. The mode of spreading of this malware is through the mail which carries either the malicious macro embedded document in the form of Doc, wiz, and pub or through malicious URLs which link to the malware.

• Once the victim enables the embedded macro, it downloads and executes the ServHelper malware on the victim machine.
• After the victim is infected with ServHelper, attacker exploits the victim machine through two ways. First is "tunnel" variant in which attacker access the victim machine through Remote Desktop Protocol via SSH tunnels. After building the connection to Command and control server (C2) controlled by attacker, the attacker performs different malicious activity via executing commands like copying victim browser profiles data, credentials, kill process, create scheduled task and delete malware from the victim machine.
• The Second one is by deploying another Remote Access Trojan (RAT) on victim machine named as FlawedGrace. This RAT creates the configuration file at location C:\ProgramData\.dat which contains the details of C2 IP and Ports to which machine needs to connect. After building connection with C2, malware performs activity via executing different commands like update, remove, download, destroy etc. The IOC of attack is listed below for your action.

Indicators of Compromise:

Command and Control Server

• hxxp://officemysuppbox[.]com/staterepository
• hxxps://checksolutions[.]pw/ghuae/huadh.php
• hxxps://rgoianrdfa[.]pw/ghuae/huadh.php
• hxxps://arhidsfderm[.]pw/ghuae/huadh.php
• hxxp://offficebox[.]com/host32
• hxxp://office365onlinehome[.]com/host32
• hxxps://afgdhjkrm[.]pw/aggdst/Hasrt.php
• hxxp://dedsolutions[.]bit/sav/s.php
• hxxp://dedoshop[.]pw/sav/s.php
• hxxp://asgaage[.]pw/sav/s.php
• hxxp://sghee[.]pw/sav/s.php
• hxxps://vesecase[.]com/support/form.php
• 46.161.27[.]241:443

Hashes

• 52c72a9de2f6e892f07827add85ad913b0541cd5c8449aadc2722f8eb75e548c
• 1b0859ddbdebcb9d2bb46de00d73aa21bc617614b8123054426556783b211bc8
• eb66ebb95a3dcecae64c61f611a9332fbf460d1b8039d3ab7e4f220104a4bec4
• 3cd7e0a8321259e8446b2a9da775aae674715c74ff4923cfc8ec5102f380d41a
• f4b9219f329803dd45afd5646351de456e608dd946830c961ec66c6c25e52cac
• d56429d6d0222022fe8f4cb35a28cd4fb83f87b666a186eb54d9785f01bb4b58
• efcee275d23b6e71589452b1cb3095ff92b10ab68cd07957b2ad6be587647b74
• 9fccd107bd0aee3a2f39ad76a49758309c95545d8154b808eec24d2b51dc4579
• a9492312f1258567c3633ed077990fe053776cd576aa60ac7589c6bd7829d549

File Location

• C:\ProgramData\.dat

Best Practise and Recommendations:

• Users are advised to disable their RDP if not in use, if required it should be placed behind the firewall and users are to bind with proper policies while using the RDP.
• Don't open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization's website directly through the browser.
• Restrict execution of Power shell /WSCRIPT in enterprise environment.Ensure installation and use of the latest version (currently v5.0) of PowerShell, with enhanced logging enabled. Script block logging, and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis.
  Reference: https://www.fireeye.com/blog/threatresearch/2016/02/greater_visibilityt.html
• Deploy web and email filters on the network. Configure these devices to scan for known bad domains, sources, and addresses; block these before receiving and downloading messages. Scan all emails, attachments, and downloads both on the host and at the mail gateway with a reputable antivirus solution.
• Application whitelisting/Strict implementation of Software Restriction Policies (SRP) to block binaries running from %APPDATA% and %TEMP% paths. Ransomware sample drops and executes generally from these locations.

References:

• https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505