A backdoor named ServHelper, associated with TA505 has been detected installing CryptoMiners in compromised systems since at least January 2020. This miner hides itself in the system
using a virtualized environment. When the unsuspecting victim executes the installer, ServHelper will first check if it's running on a virtualized environment to avoid being analyzed and if the current user has admin privileges or the windows version 10 is
< 10147 so it escalate privilege using DLL hijacking.
Learn more >