A new cybercrime campaign has been discovered that abuses Microsoft's HTML help files to deliver Vidar malware.
Trustwave cyber security scholars reported that a threat actor is distributing Vidar through a spam campaign. In it, the attackers sent an email with a partially generic appearance, with the attached file "request.doc".
This file is not a .doc file, but rather an .iso disk image that contains two separate files: a Microsoft Compiled HTML Help (CHM) file, often called pss10r.chm, and an executable file, called app. exe.
The uncompressed CHM file triggers a piece of JavaScript code that stealthily executes the app.exe file. In this way, the Vidar malware is loaded onto the target device.
Vidar is described as Windows spyware and data stealer, capable of aggregating user data and operating system data. It is capable of extracting cryptocurrency account credentials such as payment data such as credit card details.
The .CHM file format is a Microsoft online extension file, used to access help files. The compressed HTML format allows the distribution of images, tables and links. But the format can also be abused to load armed CHM objects.
In this particular case, the Vidar spyware connects to the command and control (C2) server through Mastodon.
According to commercial software and services distributor Entersoft, Vidar was introduced in December XNUMX and is thought to be of Russian origin. The conclusion that the Russians built Vidar was drawn from the fact that the malware stops running if it realizes that it is running on a terminal from a country of the former USSR or the keyboard has a Russian layout.
The malware is named after the god of vengeance from northern mythology, known as Víðarr. It appears to be a variation of the Arkei malware.
As usual, the best way to guard against malware like this is to be very careful when downloading email attachments or clicking on links received in emails from unknown or unexpected senders.
Via: ZDNet