SWH + RunBySmartscreen vs. phishing attack to plant Vidar infostealer
In a report published Thursday, Trustwave SpiderLabs revealed a new phishing attack designed to plant the Vidar infostealer on target machines. The trick to this particular campaign is that it conceals its complex malware behind a Microsoft Compiled HTML Help (.CHM) file, Microsoft’s proprietary...
Appending a malicious file to an unsuspecting file format is one of the tricks our adversaries use to evade detection. Recently, we came across an interesting email campaign employing this technique to deliver the info stealer Vidar malware.
It is not a good example for showing how SWH works because this attack is not fileless, so it is beyond the protective boundaries of SWH. Anyway, it is a good example of showing the usefulness of the RunBySmartscreen tool.
The infection chain
(delivery stage in blue):
email ----> ISO attachment (spoofed as .doc document) ---> two payloads dropped (CHM and EXE) ---> EXE payload directly executed by the user or by opening the CHM file
Such attacks can be in theory prevented via SWH by adding ISO extension to the "Protected SRP Extensions" when files are opened by 3rd party application (not by Windows built-in handler). Anyway, most users will not do it because it would be inconvenient. But, they can use the RunBySmartscreen tool instead.
After opening the attachment in the email client we can see in the Explorer two files. We do not know if they are benign or malicious, so we do not open them directly but use the right-click Explorer context menu option "Run By SmartScreen".
For the first payload we will see the alert (file blocked):
So, we can see that it is the CHM file and it is not commonly used in email correspondence - commonly used files are ignored by RunBySmartscreen.
For the second payload we will see the SmartScreen block:
RunBySmartscreen tool does not show alerts for the common files (movies, photos, music, etc.) and will execute safe EXE/MSI files if they will pass the SmartScreen. RunBySmartscreen will block opening/execution of files similarly to Paranoid extensions in SWH.
For PDF documents and MS Office documents with macros the alerts are also shown:
Word document with macro (DOCM) will be blocked:
Word document without macros will be opened after the alert:
PDF document will be opened after the alert:
So what can happen after opening the payloads in the standard way?
The CHM payload will be blocked by SWH, anyway. The EXE payload will be executed without a SmartScreen alert.
But wait, these payloads were downloaded from the Internet, so why there is no SmartScreen alert?
The ISO was downloaded from the Internet so it has got the MOTW. Unfortunately, files embedded in the ISO images (and other images too) do not have MOTW attached, so Windows (and Microsoft Defender too) cannot recognize them as downloaded from the Internet.
RunBySmartscreen can be found here:
Contribute to AndyFul/Run-By-Smartscreen development by creating an account on GitHub.
We have also a dedicated thread on MT:
Post updated in May 2022. PROGRAM INFO The application can be used on Windows 8+. GitHub - AndyFul/Run-By-Smartscreen Run By Smartscreen' is a very simple idea to safely open/run the new files via the option on the Explorer right-click context menu. 'Run By Smartscreen' can mark files with...