- Jul 22, 2014
- 2,525
Security researcher My name Is discovered a new spam campaign distributing that uses an uncommon attachment to download and install what appears to be a Brazilian banking Trojans onto an affected computer. While most recent malspam campaigns have been using JS or VBS attachments, this particular campaign is using malicious CHM documentation files that execute PowerShell commands to download and install malware.
Malspam Pretends to be Whats from WhatsApp.com
This current spam campaign pretends to be email from WhatsApp that contains a conversation history and has subjects similar to "Conversa do WhatsApp com". These emails will contain a link, which when clicked by a user that is using a Brazilian IP address, will download a zip file that is named in the format Whats_email@example.com.zip. Inside these zip files is a malicious CHM file with a name in the format of Whats_email@example.com.chm.
...
The use of malicious CHM files can be a functional method of bypassing AV software, as this malicious CHM is only detected by 10/60 vendors on VirusTotal.
....
Malspam Pretends to be Whats from WhatsApp.com
This current spam campaign pretends to be email from WhatsApp that contains a conversation history and has subjects similar to "Conversa do WhatsApp com". These emails will contain a link, which when clicked by a user that is using a Brazilian IP address, will download a zip file that is named in the format Whats_email@example.com.zip. Inside these zip files is a malicious CHM file with a name in the format of Whats_email@example.com.chm.
...
The use of malicious CHM files can be a functional method of bypassing AV software, as this malicious CHM is only detected by 10/60 vendors on VirusTotal.
....