Vidar spyware is now hidden in Microsoft help files

Updated: The malware is being spread through an interesting phishing tactic.

Vidar malware has been detected in a new phishing campaign that abuses Microsoft HTML help files. 

ZDNet Recommends

The best security key The best security key While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

On Thursday, Trustwave cybersecurity researcher Diana Lopera said the spyware is being concealed in Microsoft Compiled HTML Help (CHM) files to avoid detection in email spam campaigns. 

Vidar is Windows spyware and an information stealer available for purchase by cybercriminals. Vidar can harvest OS & user data, online service and cryptocurrency account credentials, and credit card information.

While often deployed through spam and phishing campaigns, researchers have also spotted the C++ malware being distributed through the pay-per-install PrivateLoader dropper, and the Fallout exploit kit. 

According to Trustwave, the email campaign distributing Vidar is far from sophisticated. The email contains a generic subject line and an attachment, "request.doc," which is actually a .iso disk image.

screenshot-2022-03-23-at-10-20-00.png

Trustwave

The .iso contains two files: a Microsoft Compiled HTML Help (CHM) file (pss10r.chm) and an executable (app.exe). 

The CHM format is a Microsoft online extension file for accessing documentation and help files, and the compressed HTML format may hold text, images, tables, and links -- when used legitimately. 

However, when attackers exploit CHM, they can use the format to force Microsoft Help Viewer (hh.exe) to load CHM objects. 

When a malicious CHM file is unpacked, a JavaScript snippet will silently run app.exe, and while both files have to be in the same directory, this can trigger the execution of the Vidar payload. 

The Vidar samples obtained by the team connect to their command-and-control (C2) server via Mastodon, a multi-platform open source social networking system. Specific profiles are searched, and C2 addresses are grabbed from user profile bio sections. 

This allows the malware to set up its configuration and get to work harvesting user data. In addition, Vidar was observed downloading and executing further malware payloads. 

See also: What is phishing? Everything you need to know to protect yourself from scam emails and more

Phishing emails can range from spray-and-spray generic messages to tailored, targeted emails designed to reel a victim in. The scam artists willing to put a little more effort in are constantly developing new ways to infiltrate our systems, ranging from using botnets to append themselves on existing email chatter in a business to using QR codes or malicious Microsoft Excel XLL file add-ins to serve malware.

Files are often disguised as other formats in phishing messages, and as Trend Micro observed in 2019, .iso files can be used as containers for malware including LokiBot and NanoCore. 

To lower the risk of being hoodwinked by the .iso technique, you should always be wary of any email containing documents you were not expecting and should not download or open files unless you have verified the sender and their email address.  

"Since this Vidar campaign utilizes social engineering and phishing, ongoing security awareness training for your staff is essential," commented Karl Sigler, Trustwave threat intelligence manager. "Organizations should also consider implementing a secure email gateway for 'defense in depth' layered security in order to filter these types phishing attacks before they even get to any inboxes."

"Vidar itself is an "information stealer" type of malware. It grabs as much data as it can from the victim's system, sends it back to the attackers, and then deletes itself. This includes any local password stores, web browser cookies, crypto wallets, contact databases, and other types of potentially valuable data."

Update 15.22 GMT: Added further information on the ways to mitigate malspam attempts, researcher comment.

See also


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0


Show Comments