An email campaign has been observed using an unsuspecting file format to deliver the Vidar infostealer. The novel technique involves Microsoft Compiled HTML (CHM) help files to hide the spyware.

The use of CHM file format

According to Trustwave, the email campaign spreading Vidar is not that advanced but a tactful one.
  • The email includes a basic subject line with an attachment, request[.]doc, which in reality is an ISO disk image.
  • The ISO comprises two files; one is an executable file (app[.]exe), while the other one is a Microsoft Compiled HTML Help (CHM) file (pss10r[.]chm).
  • When attackers exploit CHM, they use the format to force Microsoft Help Viewer (hh[.]exe) to load CHM objects.
  • Whenever a malicious CHM file is unpacked, a JavaScript snippet appended inside it silently runs the app[.]exe, which is actually the Vidar payload. 

Vidar spyware and its capabilities

The Vidar infostealer samples obtained by researchers connect to their C2 server using Mastodon, a multi-platform open-source social networking system. 
  • It filters specific profiles and C2 addresses are obtained from user profile bio sections. 
  • This allows the malware to set up its configuration and start data harvesting, including cryptocurrency account credentials and credit card information.
  • The Vidar spyware is capable of downloading and executing further malware payloads as well.

Ending notes

The attackers nimbly use CHM files to stay hidden, making it a challenging job for security professionals to prevent such threats. Security teams within organizations are suggested to work around behavior-based detection, email gateways, and proper training for employees to spot a phishing email.

Cyware Publisher

Publisher

Cyware