How to remove Loki

Delivered through malicious spam campaigns, Loki focuses on stealing credentials off the victim computer and runs a keylogger. Loki also communicates back to a Command and Control server (C&C) to report what it finds and to receive commands if needed.

How it works

Loki, named after the creator’s username Lokistov, is delivered to users through a variety of channels, but the most common is malicious emails that can come in a variety of types. The most common strategy is the familiar “invoice” style email that attempts to get the potential victim to open the attachment. Once opened, the “invoice” will try to run embedded macros or get the user to follow a link to a downloader. One example of such a “invoice” can be found below.

Invoice enable content picture

If the potential victim were to click “Enable Content,” Loki would be installed and start gathering data. This is a common attack vector[  and was used by, albeit in a more complex way, Emotet.

This is not the only way Loki can be delivered, however, as it can be purchased by a malicious user,  Loki will be delivered in the most cost effective way.

Loki focuses primarily on credential-stealing and boasts an impressive 80 programs it has the ability to steal from. The most notable being all major browsers, including:

  • Google Chrome
  • Mozilla Firefox
  • Microsoft Edge
  • Microsoft Internet Explorer
  • Opera Software’s Opera browser

In addition to this already worrying list, Loki is able to go after many alternative versions of these browsers such as:

  • 8pecxstudio’s variant of Firefox, Cyberfox
  • Google’s open-source browser Chromium
  • Independently developed Firefox fork, WaterFox
  • Nichrome

In addition to browsers, Loki can go after FTP clients, Microsoft Outlook, and independently developed SuperPuTTY. This list will likely be expanded in future campaigns to include more commonly used programs if vulnerabilities are found.

After connecting and confirming the presence of its C&C server, Loki launches a keylogger in a separate thread. This keylogger records every button press of the keyboard during its operation and can be used to reveal other passwords and usernames that may not have been stored in a program it can access. This is then bundled with any other data it retrieved.

Once the data is gathered, it is compressed and sent to the C&C server hosted by the malicious actor. These normally are shut down quickly after a new campaign has been identified but can remain active for days or weeks at a time giving them plenty of time to store the gathered data somewhere else and sell it.

Who is affected?

Loki can be bought in the dark web for fairly cheap. Last know price at the time of this writing was $70. The consequence of this is that Loki can be used to target anyone. The benefit of the availability is it makes it much easier for Anti-Malware companies to stop it.

Indicators of Compromise

  1. C:\Users\admin\AppData\Local\Temp\saver.scr
  2. a.doko.moe
  3. MD5: 500F84B83BE685009C136A67690CA0C3

What you can do


If you or someone you know is infected with the Loki malware download SUPERAntiSpyware Professional right now and get a 14 day free trial, no credit card required.  SUPERAntiSpyware is easy to install and will detect and remove Loki from any Windows computer.

If you are a Computer Technician, you may like to try our SUPERAntiSpyware Tech Edition solution, now free for the next 30 days. Use Tech03 as the Tech ID.  Click here: https://www.superantispyware.com/technician-download.html

How To Remove Loki

  1. Restart the infected computer in safe mode without networking.
  2. Search through the items in the Indicators of Infection section above and investigate any files/folders you do not recognize. You can run the file through SUPERAntiSpyware or online through VirusTotal.com to confirm that it is malware.
  3. Delete files and folders that have been confirmed as malware.
  4. Repeat steps 1-3 on all other machines in the network.
  5. Restore all infected computers to normal mode only after confirming the infection is removed.

How to remove ServHelper

ServHelper is a new backdoor with a downloader variant, which first appeared in November of 2018. Named by the Threat actor “Ta505,” ServHelper spreads through email campaigns using a quantity-over-quality approach that has proven to work, albeit less effectively than the Emotet strategies discussed here. ServHelper seems to be largely targeted toward businesses but could change to focus on individual’s in future campaigns.

How does ServHelper works

ServHelper is downloaded through Microsoft Word documents with macros. The documents often pretend to be invoices, though they may take other forms such as, but not limited to: greeting cards, complaints, or details from your bank. These documents attempt to convince the victim to enable macros in them by saying that the content cannot be viewed until macros are enabled. If the victim clicks the Enable Content button, the infected document runs code that downloads ServHelper to the computer. You can learn more about how to protect yourself here. An example is shown below:

 Infected enable Content doc

Another method employed by ServHelper is to distribute PDF files that claim you must follow the link provided to update your PDF viewer. These links instead reach out to a download server that infects anyone who visits. The end result is the same regardless of whether the victim gets the infection from a Word document or a PDF.

Once installed, ServHelper does one of two things.

  1. Establishes a remote-control session that allows the malicious actor to control the infected computer from anywhere. To accomplish this, the malware talks to a Command and Control server (C&C) where it takes it commands from. Some of the notable commands include: the ability to kill itself and remove traces of itself from the computer, the ability to copy user’s browser profiles, and the ability to execute a command shell. This allows the attackers to gain access to your PII as well as any passwords, usernames, bank account information, and more.
  2. Drops another piece of malware known as FlawedGrace. ServHelper recently removed some of its capabilities (in this version only) to instead focusing on dropping this malware. FlawedGrace acts as a remote-access Trojan providing similar functions to ServHelper.

Who is affected?

ServHelper largely targets businesses, so most of the emails are designed to look like emails you would see in your day-to-day business, such as invoices. Despite this active focus, it’s entirely possible for computers outside of a business to be infected and extorted, so protection is paramount.

Indicators of Compromise

ServHelper makes several changes that indicate whether a computer has been infected.

  1. The most noticeable one is the C:\Windows\ServHelper.dll that is dropped in the windows folder.
  2. Unusual scheduled startup tasks are always noteworthy and ServHelper uses them to start itself every time a victim’s computer is ran.
  3. C:\PROGRAM FILES\COMMON FILES\SYSTEM\WINRESET.EXE
  4. crl.verisign[.]com/pca3[.]crl
  5. hxxp://ocsp.verisign[.]com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ%2FxkCfyHfJr7GQ6M658NRZ4SHo%2FAQUCPVR6Pv%2BPT1kNnxoz1t4qN%2B5xTcCECcNdVyfWsO322H1CZgocHg%3D
  6. hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl[.]cab
  7. IP: 104.81.60.211
  8. IP: 104.81.60.51
  9. IP: 2.17.157.9

What you can do

If you or someone you know is infected with the ServHelper malware, download SUPERAntiSpyware Professional right now and get a 14-day free trial, no credit card required.  SUPERAntiSpyware is easy to install and will detect and remove ServHelper from any Windows computer.

If you are a Computer Technician, you may like to try our SUPERAntiSpyware Tech Edition solution, now free for the next 30 days. Use Tech02 as the Tech ID.  Click here: https://www.superantispyware.com/technician-download.html

How to Remove ServHelper

  1. Restart the infected computer in safe mode without networking.
  2. Search through the Indicators of infection listed above and investigate any files/folders you do not recognize. You can run the file through SUPERAntiSpyware or online through VirusTotal.com to confirm that it is malware.
  3. Delete files and folders that have been confirmed as malware.
  4. Repeat steps 1-3 on all other machines in the network.
  5. Restore all infected computers to normal mode only after confirming the infection is removed.

How to remove Emotet

You may have heard of the Trojan Emotet before. Since first appearing back in 2014 stealing banking information, it has evolved into a multi-faceted threat that targets everyone. It uses social engineering through emails to attempt to convince the user to open a Microsoft Word document and run its malicious macros. Even more worrisome is that once Emotet has infected a target, it attempts to take over the victim’s Microsoft Outlook desktop application. If successful, Emotet goes through all sent emails and contacts and send out a new wave of spam emails. Only this time, the potential victims are receiving the message from a trusted email.

A campaign from Emotet over the Christmas season read like a friend sending a friendly season greeting.

Dear <name>,

You make the stars shine brighter and the winter days warmer just by being in my life. Merry Christmas to my favorite person in the world.

Merry Christmas and a wonderful New Year!

Greeting Card is attached

A lovely thing about Christmas is that it’s compulsory, like a thunderstorm, and we all go through it together. Garrison Keillor

While not limited to invoices or Christmas cards, these emails attempt to get the user to click the download link and then to open the document. In the email mentioned above the target may be fooled into thinking that the attached greeting card is legitimate.  The document actually contains a malicious macro, an embedded script. While macros were initially designed to help automate keystrokes and mouse movements, they were quickly abused by nefarious virus creators. The infection cannot run on its own as Microsoft has automatically disabled macros more than a decade ago to help stop these malicious scripts. Instead, Emotet uses a few techniques to get the user to re-enable macros. Examples can be seen below.



The picture urges the user to click the Enable Content button, implying that they cannot view the Word document until they do so. You may have already noticed that the bar itself says that macros have been disabled, and the Enable Content button will, in fact, allow them. The moment that Enable Content button is clicked, the macros will start, and in seconds you will be infected. Even worse, in most cases you will have no indication from this point forward that anything is wrong. In one test case we briefly had a command window appear:



This window lasted less than two seconds before disappearing. This attack vector is not unique to Emotet though. In fact, it has been used by a number of ransomware attacks in the past. If you ever see a document you didn’t expect to receive, you should always be extremely cautious with it and you should never enable macros without a very good reason.

How it works

Emotet is an evolving malware that has been known to primarily spread itself through email spam campaigns.  Emotet itself does not attempt to do much harm; instead, it opens the door for other malware who pay the doorman on the way in. It achieves this by using what is known as a Command and Control server (C&C): Emotet requests instructions from its C&C server, which  issues a new command. This command could be anything from “grab this malware sample and run it” to “tell me what passwords are stored in the user’s browser.” Emotet can receive updates and new capabilities in this way as well, showing that if Emotet has infected your computer or network, it should be removed as quickly as possible.

Emotet doesn’t stop at the first computer infected though. Once it’s on a network, it will attempt to get to all computers it’s connected to through a brute-force attack. Unless strong passwords are enforced on machines and all known vulnerabilities are patched, a single installation of Emotet can cause every computer in the network to become infected. Emotet is often updated with new exploits as they are found, meaning that while it may not be successful at first, it will keep trying until it finds something that does work.

Code

We won’t go into too much depth on the actual code itself, but a brief step-by-step walkthrough can be useful to get a better understanding on how this malware works.

1. In the Word document there is a VBA script that is obfuscated so that you cannot read it at a glance. All this code does is launch a command shell, which then launches PowerShell, a more powerful version of the Windows command shell.

2. Using PowerShell, the script attempts to download the core Emotet payload from a large variety of distribution websites.

3. The randomly named payload will then reach out to the main server and request a command. The command will change based on the campaign that is running —it could go grab new malware or it could attempt to use your own email address as a way to spread itself.

Who is affected

Many people assume that they will not be targets of malware campaigns. Emotet, though, targets everyone equally: it has the simple goal of getting on every machine it can and then getting paid to let other, more targeted malware come in behind it. If your email address has ever been sold, disclosed in a breach, or was on a friend’s email list when they got infected, then it’s possible you will receive a malicious email from them.

Indicators of infection

The main location for the executable is in C:\Users\<name>\AppData\Local\ and then whatever new name Emotet decides to use. One we have seen often is archivessymbol, but this will change. If you see something in this folder you don’t know about, it’s important to run a scan.

Versions of Emotet can also drop files onto your computer in C:\Users\Public or C:\Users\<username>:

These files generally have 5-6 randomly generated numbers in the file name, followed by .exe. These are not actually executable files, but HTML documents that are used to generate revenue for the Blackhat’s by simulating clicks on web advertisements.

What you can do


If you or someone you know is infected with the Emotet malware, download SUPERAntiSpyware Professional right now and get a 14-day free trial, no credit card required.  SUPERAntiSpyware is easy to install and will detect and remove Emotet from any Windows computer.

If you are a Computer Technician, you may like to try our SUPERAntiSpyware Tech Edition solution, now free for the next 30 days. Use Tech01 as the Tech ID.  Click here: https://www.superantispyware.com/technician-download.html

Emotet has also been known to exploit a vulnerability in Windows called EternalBlue. Microsoft has issued a patch for this, and applying this patch can help protect you from Emotet as well as other malware who utilize this exploit.

HOW TO REMOVE EMOTET

  1. Restart the infected computer in safe mode without networking
  2. Search through the Indicators of infection and investigate any files/folders you do not recognize. You can run the file through SUPERAntiSpyware or online through VirusTotal.com to confirm that it is malware.
  3. Delete files and folders that have been confirmed as malware.
  4. Repeat steps 1-3 on all other machines in the network.
  5. Restore all infected computers to normal mode only after confirming the infection is removed.