That rootkit has been running rampant for a bit over a year now I would say. There's still no real technical write up of it, and the only articles about it can be found on BleepingComputer.
https://www.bleepingcomputer.com/virus- ... -use-error
https://www.bleepingcomputer.com/news/s ... -software/
https://www.bleepingcomputer.com/virus- ... ce-rootkit
SmartService prevents any security software from running: Antivirus, Antimalware, Firewall, you name it. You can get some programs to run, but they won't detect anything (it's a rootkit after all).
IOCs:
https://www.bleepingcomputer.com/forums ... oval-help/
Note that SmartService is almost always delivered with Trojan.Yelloader (Malwarebytes definition), so some folders belongs to it (the ones in %LocalAppData%, which contains a Chromium-based program used as a clicker).
Of all the threads I've worked on with this infection, I can almost never find a dropper for it. Though I'll keep an eye open and provide one if I can.
This being said, I'm just creating this thread to start a discussion about this rootkit, since there's not a lot of information about it and I think there should be, as the malware removal forums are flooded with SmartService infection.
I'm currently working on a few threads with SmartService and I'll grab fresh samples of all the files I listed above and attach them here. If there's anything specific you need, just let me know.
Edit: Just saw that Windows Defender is flagging SmartService as Trojan:Win64/Detrahere. The Technical information tab provides more information.
https://www.microsoft.com/en-us/wdsi/th ... /Detrahere
https://www.bleepingcomputer.com/virus- ... -use-error
https://www.bleepingcomputer.com/news/s ... -software/
https://www.bleepingcomputer.com/virus- ... ce-rootkit
SmartService prevents any security software from running: Antivirus, Antimalware, Firewall, you name it. You can get some programs to run, but they won't detect anything (it's a rootkit after all).
IOCs:
Code: Select all
IOCs from a FRST log:Multiple randomly named folders in %LocalAppData%, following this pattern:
%LocalAppData%\$7_RAND_CHAR
Examples:
%LocalAppData%\cgkepoh
%LocalAppData%\pwnzghb
%LocalAppData%\upsciml
%LocalAppData%\wmcagent
%LocalAppData%\wmcagent\wmcagent.exe
%LocalAppData%\wmcagent\wow_helper.exe
%AppData%\et
C:\Windows\System32\drivers\$8_RAND_CHAR.sys (ie: wimbehlo.sys)
C:\Windows\System32\drivers\msidntfs.sys
C:\Windows\System32\*******svc.exe (ie: msapibhsvc.exe)
C:\Windows\System32\$RAND_FOLDER
C:\Windows\SysWoW64\$RAND_FOLDER
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\$6_RAND_CHAR (calls the $8_RAND_CHAR.sys driver)
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\msidntfs
https://www.bleepingcomputer.com/forums ... oval-help/
Code: Select all
The driver gets renamed on every restart, but the first three letters of the driver filename always stays the same (so in the example I provided above, it'll be renamed to wim****.sys).(TOSHIBA CORPORATION) C:\Windows\System32\msapibhsvc.exe
() C:\Users\netdisk\AppData\Local\wmcagent\wmcagent.exe
() C:\Users\netdisk\AppData\Local\upsciml\iacdkvb.exe
HKLM\SYSTEM\CurrentControlSet\Services\klgpmctx <==== ATTENTION (Rootkit!)
2018-03-23 14:38 - 2018-03-23 14:38 - 000145232 ____N C:\WINDOWS\system32\Drivers\wimbehlo.sys
2018-03-23 10:08 - 2018-03-23 10:09 - 000000000 ____D C:\Users\netdisk\AppData\Local\wmcagent
2018-03-09 11:55 - 2018-03-10 19:49 - 000000000 ____D C:\Users\netdisk\AppData\Local\pwnzghb
2018-02-26 18:00 - 2018-03-23 15:10 - 000000000 ____D C:\Users\netdisk\AppData\Local\upsciml
2018-02-26 18:00 - 2018-02-26 18:00 - 000000000 ____D C:\Users\netdisk\AppData\Local\cgkepoh
2018-02-26 17:58 - 2018-03-23 14:39 - 002888704 _____ (TOSHIBA CORPORATION) C:\WINDOWS\system32\msapibhsvc.exe
2018-02-26 17:58 - 2018-02-26 17:58 - 000000000 ____D C:\WINDOWS\SysWOW64\dwhkoea
2018-02-26 17:58 - 2018-02-26 17:58 - 000000000 ____D C:\WINDOWS\system32\dwhkoea
2018-02-26 17:58 - 2018-02-26 17:58 - 000000000 ____D C:\Users\netdisk\AppData\Roaming\et
C:\WINDOWS\system32\drivers\wimbehlo.sys -> Access Denied <======= ATTENTION
Note that SmartService is almost always delivered with Trojan.Yelloader (Malwarebytes definition), so some folders belongs to it (the ones in %LocalAppData%, which contains a Chromium-based program used as a clicker).
Of all the threads I've worked on with this infection, I can almost never find a dropper for it. Though I'll keep an eye open and provide one if I can.
This being said, I'm just creating this thread to start a discussion about this rootkit, since there's not a lot of information about it and I think there should be, as the malware removal forums are flooded with SmartService infection.
I'm currently working on a few threads with SmartService and I'll grab fresh samples of all the files I listed above and attach them here. If there's anything specific you need, just let me know.
Edit: Just saw that Windows Defender is flagging SmartService as Trojan:Win64/Detrahere. The Technical information tab provides more information.
https://www.microsoft.com/en-us/wdsi/th ... /Detrahere
Last edited by Aura on Sat Apr 07, 2018 8:32 pm, edited 1 time in total.
