Microsoft Help Files Disguise Vidar Malware


Level 85
Thread author
Top poster
Content Creator
Malware Hunter
Aug 17, 2014
In a report published Thursday, Trustwave SpiderLabs revealed a new phishing attack designed to plant the Vidar infostealer on target machines. The trick to this particular campaign is that it conceals its complex malware behind a Microsoft Compiled HTML Help (.CHM) file, Microsoft’s proprietary file format for help documentation saved in HTML. In other words, it’s the kind of file you almost never look at or even think about.

After all, what better place to hide something interesting than within something boring? That’s just what cyberattackers have done in a recent spate of data-stealing attacks: leverage .CHM files in a nested attack that prioritizes obfuscation.
In this latest campaign, the .ISO file contains a .CHM file named “pss10r.chm.” Towards the end of the file’s code is a snippet of HTML application (HTA) code containing JavaScript that covertly triggers a second file, “app.exe.” This is, in fact, Vidar malware.

“One of the objects unpacked from the .CHM is the HTML file ‘PSSXMicrosoftSupportServices_HP05221271.htm’ — the primary object that gets loaded once the CHM pss10r.chm is opened,” according to the Trustwave writeup. “This HTML has a button object which automatically triggers the silent re-execution of the .CHM “pss10r.chm” with mshta.” Mshta is a Windows binary used for executing HTA files.